November 2023 updates: pfsense plus 23.09 CE 2.7.1, OpenSSL, KEA DHCP, & Squid Proxy Deprecation

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
time here from Lauren systems it is November 13th of 2023 and the people at netgate have been busy we have a new release 23.9 of pfSense plus pfSense CE is at 2.71 which is your release candidate both contain the updated open SSL moving them to the 3.0 series as opposed to the unsupported 111 series of open SSL a new DHCP server and the end of squid that's a lot to talk about let's dive into [Music] it [Music] now we're going to start with the pfSense version 2309 released on November 6th of 2023 I've updated several systems they have worked perfectly fine no problem with any of the netgate devices we've done still have more to do because we have a lot of clients running this the major changes open SSL they have a dedicated blog post to this the too long didn't read that our blog post is the open SSL version 111 has reached end of life in September of 2023 the netgate team has rebuilt the pfSense system to use version 3.01 to for both pfSense c271 which is in release candidate and the 2309 there is some confusion I've seen amongst a lot of people when I brought this up they say well isn't FreeBSD supporting this because FreeBSD says it's in support not exactly and that's because open SSL is supported by open SSL and yes there have been flaws found in the op SSL 111 that are on the will not be fixed list because it has reached end of life more and more projects are going to have to move to open SSL 3.0 and that's where the challenge comes in as that move will break some things depending on how dependent those things are on specifics of open ssl1 that may not be the exact parody features that are in op SSL 3 so this can be a trivial task or a complicated task kind of depends on all the interdependencies the big interdepend you're going to see though is going to be with openvpn and some of the older deprecated functions and if you have any certificates that are also built with the older deprecated security and that means they will not work now this will allow the upgrade to work but those particular things will fail telling you they are not supported anymore in the modern version of open SSL so you either have to rebuild your openvpn or rebuild your certificates if you do the upgrade and you're using those older certificates and before you do the upgrade you can simply look here to see if these are the ones you have in use and read their blog post on that topic for more details the next topic is the Kia dhtp server added as an opt-in feature the reason it's opt-in is because it's not feature complete yet but this is an important change because the is C version has been deprecated so ISC DHCP is a deprecated project but still in pfSense and many other projects as the primary DHCP server and they are working to build feature completeness with the new Kia which is a supported one this comes from the internet Consortium they actually produced both of these as open source projects but they have now stopped adding updates to the ISC the older one and all the updates are focused on the Kia one well they've done the integration but they've not completed the integration you can easily switch between them I've done some testing with it it is up to you if you want to test this is optional and there's a blog post you can dive into on there and I'll leave you a forum post where there's some discussion about some of the bugs people are finding with it and you know you can continue looking at it and help them troubleshoot it so we can get that uh feature complete and find any the edge cases so that can become eventually the primary DHCP server now I want to jump over to the release candidate of the pfSense CE or Community Edition software to 271 you'll see it's pretty much the same we've got the updated changes op SSL and the Kia DHCP server and actually the other Arata down here is the same as well moving to PHP 8211 and free bsd1 14 current so now they are pretty much in parody with each other the 2309 and 271 it's a release candidate as of making this video but I did some testing so far I didn't have any problems with it but there's still you know probably a few more minor bugs that might need to be closed but there is the of course call for people who would like to do the testing to help do the final troubleshooting on this to get this release out you'll find the those links down below now let's talk about the deprecation of the squid add-on packages for pfSense I know this is a controversial topic but there are some unresolved vulnerabilities in Squid this is a pretty big challenge because well Squid's been around a long time and you would assume a project that is so well used by so many people and is really the underpinnings of many of the commercial firewalls or they may obscure that they're actually using squid that's often the same proxy of choice that they bake into their systems this project is extremely under resourced and it comes down to this blog post right here of 55 vulnerabilities found in Squid caching proxy and 35 zero days this goes back to 2021 and I'll leave links to this as well so you can read through here but essentially this came down to a security researcher finding a lot of problems I tweeted about this a couple weeks ago posted on a couple of my socials and it came down to essentially that the squid team is going yeah those are a lot of security vulnerabilities we don't have the resources to patch them all so this person says well we'll just post them because they're going to get found and if we make them discoverable by more people people will make decisions like netgate has to go well we probably shouldn't use this project I'm hoping some decision gets made that this project gets more support and resources but that doesn't really seem to be the case that has happened so far so with all these different problems and they're outlined in here the different types of vulnerabilities and unfortunately what this came down to is the squid team have been helpful and supportive during the process of reporting these issues however they are effectively understaffed and simply do not have the resources to fix the disc issues while the future of squid may not be completely clear I'm also not clear on the future of doing intercept with the firewall and putting certificates in so each one of these systems that are connecting trust the firewall as another intermediary between that and the server that they're connecting to just so you can intercept the traffic if you have a proper TLS 1.3 implementation with perfect forward secrecy that even makes things more complicated and with some of the push for encrypted hello for example now you're making it even more challenging and I'm seeing those type of tools really have some struggles with that including a lot of them recommend disabling the qic protocol which gives you a well less great internet experience also for caching it's not as necessary here in 2023 unless you're somewhere that has well still has dialup I know still dialup still exists here to some extent but I don't know how many people have dialed up and would actually benefit that much from a squid proxy and the dynamic nature of many of the things on the web doesn't lend it very well to squid caching those things as effectively as it did when I set one up 20 years ago love hearing from you leave your thoughts and comments down below thoughts questions comments concerns and all that around all these different updates let me know if you've upgraded to the latest version of pfSense Plus or if you're on the release candidate or maybe when you watch this video the release candidate is turned into the full version leave that down below too which one you're going with I'm always curious like And subscribe if you want to see more content from this Channel and head over to lawren systems.com to connect with me on whatever socials you can find me on when you go there thanks [Music]
Info
Channel: Lawrence Systems
Views: 23,823
Rating: undefined out of 5
Keywords: LawrenceSystems, pfsense firewall, pfsense plus, pfsense setup, pfsense plus free, pfsense (software), pfsense router, pfsense update, proxy server, pfsense server, pfsense 2.7, pfsense ce 2.7.1, pfsense plus vs pfsense ce, pfsense ce to plus upgrade, pfsense plus 23.09
Id: Qc_FTuMNcjw
Channel Id: undefined
Length: 7min 16sec (436 seconds)
Published: Tue Nov 14 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.