IPFire developer Peter Müller announced today the general availability of IPFire 2.27 Core Update 172 as the latest stable release of this open-source hardened Linux firewall distribution for routers and firewalls bringing updates to VPN cryptography and updated components.
The biggest changes in this new IPFire hardened Linux firewall release are the improvements the development team added around the VPN (Virtual Private Network) implementation offered within the distribution in an attempt to future-proof VPN cryptography.
More specifically, IPFire 2.27 Core Update 172 updates the key lengths of root CA (Certificate Authority) certificates for both IPsec and OpenVPN VPN clients/peers from 2048 bit to 4096 bit RSA, due to the fact that 2048 bit encryption is no longer recommended by security experts for long-term security purposes. Also updated to 4096 bit RSA encryption is the key pair generated for IPFire’s web interface.
The OpenVPN implementation will be automatically reconfigured to use a secure Diffie-Hellman parameter so that both clients and peers can benefit from this cryptography improvement. In addition, IPFire now properly backups and reloads OpenVPN CRLs (Certificate Revocation Lists) before the VPN service is (re-)started.
Future IPFire releases promise support for post-quantum cryptography (PQC) for the IPsec VPN implementation. “There is a strong (and growing) need (for post-quantum cryptography), thanks to so-called “capture now, decrypt later” attacks endangering the confidentiality of information with long-term secrecy demand, such as biometric and health data,” explains Peter Müller.
Among other noteworthy changes, the IPFire 2.27 Core Update 172 release updates IPFire’s trust store to incorporate Mozilla’s decision to distrust the root certificates of TrustCor Systems S. DE R.L., tightens various file permissions as a defense-in-depth measure, adds a massive patchset to the Python implementation, and updates numerous core components and add-ons to their latest versions (check out the release announcement for details).
Image credits: IPFire project (edited by Marius Nestor)
Last updated 5 months ago