IPFire developer Peter Mueller today announced the general availability of IPFire 2.27 Core Update 172, the latest stable release of this open-source hardened Linux firewall distribution for routers and firewalls, bringing updates to VPN cryptography and updated components.
The biggest changes in this new hardened IPFire Linux firewall release are the improvements the development team has added around the VPN (Virtual Private Network) implementation offered within the distribution to enable future-proof VPN cryptography .
More specifically, IPFire 2.27 Core Update 172 updates the key lengths of Root CA (Certificate Authority) certificates for IPsec and OpenVPN VPN clients/peers from 2048 bits to 4096 bits RSA as 2048 bit encryption is no longer recommended by becomes security professionals for long-term security purposes. Also updated to 4096-bit RSA encryption is the key pair generated for IPFire’s web interface.
The OpenVPN implementation is automatically reconfigured to use a secure Diffie-Hellman parameter, allowing both clients and peers to benefit from this cryptographic improvement. Also, IPFire OpenVPN now properly backs up CRLs (Certificate Revocation Lists) and reloads them before (re)starting the VPN service.
Future IPFire releases promise post-quantum cryptography (PQC) support for IPsec VPN implementation. “There is a strong (and growing) need (for post-quantum cryptography) thanks to so-called ‘capture now, decrypt later’ attacks that compromise the confidentiality of information with long-term confidentiality requirements, such as B. biometric and health data,” explains Peter Müller.
Among other notable changes, the IPFire 2.27 Core Update 172 release updates IPFire’s trust store to incorporate Mozilla’s decision to place the root certificates of TrustCor Systems S. DE R.L. to distrust, tightens various file permissions as a defense-in-depth measure, and adds an extensive patch set to the Python implementation and updates numerous core components and add-ons to their latest versions (see the release announcement for details).
Photo credit: IPFire project (edited by Marius Nestor)