pfSense

working

pcscd service

some progress

small fixes

conflicts resolved, needs testing

Lower default_cert_expiredays warning threshold to 27 days

Even at 28, ACME still sometimes warns unnecessarily just before renewal.

Merge pull request #4126 from vktg/ovpnwiz825

OpenVPN server cert default lifetime 825 days

IPsec swanctl conversion. Implements #9603

• Converted IPsec configuration code from ipsec.conf ipsec/stroke style
  to swanctl.conf swanctl/vici style. Issue #9603
• Split up much of the single large IPsec configuration function into
  multiple functions as appropriate....

Init aliases array before use. Fixes #9936

Allow revoking serial '0' by number. Fixes #9869

Only try existent devices when looking for the dump device.

Switch default NTP pool server. Fixes #9931

2.<x> pools contain both IPv4 and IPv6 hosts.

Merge pull request #4098 from vktg/delzombiealiases

Merge pull request #4105 from vktg/guirebootarmcheck

cosmetic

Merge branch 'master' into p11ipsec

rebase

successful connection

more

first steps

merge with upstream

array_diff fix

array_diff fix

php_uname func

Make hostname optional for for DNS-O-Matic.
This resolves ticket #7601.

Unset temp vars when refreshing CRLs. Issue #9915

Otherwise it might unintentionally add a CRL to a server which does not
have one selected

When refreshing CRLs, increment suffix, do not clean up. Fixes #9915

While here, fix a bug with refresh path.

Correctly populate CRL issuer in crl_contains_cert. Fixes #9924

Add 'none' option to cert_build_list. Issue #9923

Restructure OpenVPN settings directory layout

• Changed from /var/etc/openvpn[-csc]/<mode><id>.<file> to
  /var/etc/openvpn/<mode><id>/<x>
• This keeps all settings for each client and server in a clean
  structure
• Move to CApath style CA structure for OpenVPN, which implements #9915...

Merge pull request #4114 from vktg/ospfpcap

Merge pull request #4107 from Godwottery/Godwottery-ping-wait

Merge pull request #4112 from vktg/poly1305tls12

Add select_source compatible output to cert_build_list(). Implements #9923

Enforce limiter delay 0<=x<=10000. Fixes #9921

Add OpenVPN Keepalive/Ping/Inactive input validation. Fixes #3473

Make OpenVPN username-as-common-name options. Implements #8289

Add exit notify to OpenVPN servers/clients. Implements #9078

Prevent OpenVPN tunnel network reuse. Fixes #3244

Ensures that a submitted tunnel network is not already in use on other
OpenVPN client or server instances, to avoid conflicts.

Update OpenVPN EC list based on testing. Issue #9744

CDATA escape more auth-related fields. Fixes #9327

Hide OpenVPN 'interface' when multihome is selected. Fixes #7840

OpenVPN ECDH/ECDSA filtering. Fixes #9744

Can be revisited in the future if the corresponding OpenVPN bug is
resolved.

OpenVPN status page sent/recv bytes sorting changes. Fixes #7359

OpenVPN page sorting tweaks

Add copy action to OpenVPN pages. Implements #5851

Added to Server, Client, and Client-Specific Override pages

arm check fix with get_single_sysctl()

Correct VTI IPv6 test and syntax. Fixes #9801

Move CA random serial option to upper section. Issue #9883

This allows it to be set when creating a new CA, so it doesn't have to
be edited in later.

Also show the next serial/random status in the CA info block
Hide trust store line from non-CA entries since it's not relevant to...

Rename IPsec "RSA" options to "Certificate". Implements #9903

fix

more pretty func

Change interface disconnect/release button to 'danger'. Fixes #9911

While here, add the interface name to the button text.

Net effect is a confirmation box to ensure the user wants to take that
action, which could be disruptive.

extra switch case for !ospf

fixes

Fix #7791: strings binary can be useful for troubleshooting

pcap ospf/ospfv3 support

Test DNS Hostnames separtely from GWs when storing new values. Fixes #9898

Attempt to fetch EC curve OID if name is blank. Issue #9745

Certificate date calculation changes. Fixes #9899

Make the certificate date calculation more general and also try multiple ways
to determine the date (both timestamp and unix timestamp).

Catch cases where one or the other date fails to calculate to avoid errors....

GUI improvements for ECDSA certificate handling

• Make central functions to check and test ECDSA compatibility. Issue #9843
• Filter incompatible certificates from being offered for the GUI or Captive Portal. Implements #9897
• Do the same for IPsec, which implements #4991...

order fix

add poly1305-chacha20 to nginx cipher list

Change default ECSDA curve to prime256v1. Issue #9843

Previous default was brainpool, but brainpool curves are not (widely?)
supported by browsers and were deprecated by IETF for TLS v1.3

Revert "RADVD: In "managed" or "stateless_dhcp" mode, don't use default values for DNS servers etc (these should come from DHCPv6)"

This reverts commit dcc887a355aae49c7df0c29752c04e12922aca83.

Show DNS server help when server list is empty

Use more accurate date calculations for CA/Cert operations.

Otherwise calculations could fail on ARM

Lower default cert expire days to 28.

At 30 days, an ACME cert may not have triggered automatic renewal yet,
so it would warn unnecessarily.

Add edit screen for Certificate entries.

• Allows editing the name/descr. Implements #7861
• Adds a (not stored) password field and buttons for exporting encrypted private
  keys and PKCS#12 archives. Implements #1192
• More code optimization

CA/Cert optimizations

• Actions are now by refid rather than array index, which is more
  accurate and not as prone to being affected by parallel changes.
• Improved save & config write messages

Use central download function

Reduce duplicated/inconsistent code by using the new download function.

CA/Cert/CRL code optimizations

While here, use the new download function when exporting items

Add central file download function for use throughout the GUI.

Validate CA/CRL serial input. Issue #9883 Issue #9869

Update privilege definitions

Enforce a max lifetime for CA/Cert/CRL. Issue #3956

Add support for randomized cert serial numbers. Implements #9883

CRL Fixes

• Correct a PHP error in non-edit CRL actions. Fixes #9879
• Correct display of revoke by serial options when the CRL CA contains no certificates. Issue #9869
• Wording/text changes

Update globals.inc

fixes

Update globals.inc

Update guiconfig.inc

successful connection

more

first steps

CRL management overhaul

• Allow revoking by serial number or cert. Implements #9869
• Allow revoking multiple entries at a time. Implements #3258
• Declutter the main CRL list screen
• Move the create control to the bottom under the list
• Various other efficiency/style improvements

Also refresh trust store when renewing. Issue #4068

Add option to trust local CA entries. Implements #4068

Similar to closed PR #3558 from overhacked, but with a number of
changes.

Make value of cert notify setting consistent with others. Issue #7332

Remove duplicate DHCP log block.

Allow packet capture to match IPv4+IPv6 CARP. Fixes #9867

CA validity checks. Fixes #3956

Add clientAuth EKU to Server type certificates. Fixes #9868

Certificate strength improvements. Fixes #9825

• Change default GUI cert lifetime to 825 days
• Add notes on CA/Cert pages about using potentially insecure parameter
  chocies
• Add visible warnings on CA/Cert pages if paramers are insecure/not
  recommended.

Fix whitespace

Update default config to match current default/version.

Add daily certificate expiration notice. Issue #7332

Add periodic framework to allow for daily/weekly/monthly tasks. Issue #7332

Fix Cert expire threshold input validation to allow empty values.