13869 – OpenVPN - [Testing] IPFire 2.29 – Core Update 197 - TLS Channel Protection

Bug 13869 - OpenVPN - [Testing] IPFire 2.29 – Core Update 197 - TLS Channel Protection

Summary: OpenVPN - [Testing] IPFire 2.29 – Core Update 197 - TLS Channel Protection

Status:	ASSIGNED

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	unspecified Unspecified

Importance:	- Unknown - - Unknown -
Assignee:	Adolf Belka
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-08-11 18:02 UTC by iptom
Modified:	2025-08-20 16:55 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description iptom 2025-08-11 18:02:01 UTC

https://community.ipfire.org/t/testing-ipfire-2-29-core-update-197/14510/7?u=tphz

IPFire 2.29 (x86_64) - Core-Update 197 Development Build: master/87e1047a



After the upgrade, the selection "TLS Channel Protection" disappeared.

When you select and click "Save Advanced Settings" - the setting does not save.

Comment 1 Adolf Belka 2025-08-11 18:17:51 UTC

I have found the same effect.

Although it is not shown on the Advanced Settings page the TLSAUTH setting of enabled or disabled and the TLS Has type are saved in the /var/ipfire/ovpn/settings file.

I have also identified that if the hash type is changed then the ta.key file stays the same with what looks to be the SHA2-512 value.

I have also identified that this issue with the TLS hash entry in the ta.key file not being updated when the TLS entry is modified was also showing this behavious in CU196 and probably for longer.

Comment 2 Adolf Belka 2025-08-11 18:47:25 UTC

I have confirmed that the ta.key file was always the 2048 bit key, which I believe is the SHA2-512 hash, back in CU189 also.

Comment 3 Adolf Belka 2025-08-11 18:48:30 UTC

(In reply to Adolf Belka from comment #2)
> I have confirmed that the ta.key file was always the 2048 bit key, which I
> believe is the SHA2-512 hash, back in CU189 also.

So that problem is not coming from the OpenVPN-2.6 update, it has been present for a long time but nobody has flagged it up.

Comment 4 Adolf Belka 2025-08-11 19:27:30 UTC

Ignore my entries about the ta.key not changing. I got mixed up.

Once created the ta.key stays like that. It is used by the client to carry out the HMAC communication using the hash setting defined in the DAUTH option in the .ovpn file.

So there is nothing wrong with the ta.key entry.

The only issue is that the advanced settings are saved into the settings file and used by the client/server but are not saved into the Advanced Settings page, which always shows the initial set of settings rather than what has been saved.

Sorry for my noise on this issue.

Comment 5 Adolf Belka 2025-08-20 16:55:51 UTC

After having a look at the section to do with the advanced settings I realised that most of the parameters had their hash changed from %cgiparams to %vpnsettings except for the DCIPHER, DAUTH and TLSAUTH values. These stayed with %cgiparams and this hash is no longer filled from the settings file.

Patch submitted to fix this. Tested out on my vm testbed system and it worked for me.

https://lists.ipfire.org/development/20250820165147.21850-1-adolf.belka@ipfire.org/T/#u

https://patchwork.ipfire.org/project/ipfire/list/?series=5102