Dear friends and followers,

The update finally addresses one of the larger issues with IPsec in
17.1 where traffic was not properly tracked by the packet filter and
therefore causing spurious connection drops in TCP sessions.  Another
cool addition is the merge of the HardenedBSD SafeStack work to
further harden our operating system application binaries.

Last but not least, the switch to the new virtual terminal driver
is now fully functional and we intend to release new images based
on 17.1.4 on Monday next week.  Note this does not affect running
installations.

Upgrading from a physical console may abort the firmware update due
to an incompatible switch in the TTY settings.  Simply log in again
and restart the update to continue.  Note this does not affect
upgrades via GUI or SSH.  Should problems arise, force a reinstall
of the core package from the shell with the following command:

opnsense-revert opnsense

Here are the full patch notes:

o system: early installer switched for simpler config importer
o system: no longer set shell privileges on password reset
o system: avoid misinterpreting obsoleted options use_mfs_tmp_size
  and use_mfs_var_size
o system: do not prompt for password on user edit
o system: modernise console/tty settings
o interfaces: always wait for dhclient exit
o firewall: handle scheduled restarts via new plugin_cron() facility
o traffic shaper: exclude IP address when using 3G/4G modems
o dnsmasq: configure exclusively via plugin calls
o ipsec: remove filtertunnel workaround in light of bundled kernel fix
o ipsec: fix missing CA selection for mutual RSA
o ipsec: require authentication header as first file
o ipsec: include path consolidation
o openvpn: allow tunnel network overrides to contain host addresses
o openvpn: take client IP for topology subnet in CSC
o openvpn: include patch consolidation
o unbound: configure exclusively via plugin calls
o web proxy: harden SSL ciphers (contributed by Fabian Franz)
o mvc: fix multiple scoping issues in base volt templates
o lang: updates for Chinese, Czech, French, German, Portuguese
o plugins: Let's Encrypt 1.4[1][2] (contributed by Felix Kling
  and Frank Wall)
o plugins: HAproxy 1.13[3] (contributed by Frank Wall)
o src: tzdata version 2017b[4]
o src: HardenedBSD SafeStack for base applications[5]
o src: fix IPsec skip parameter handling in IPv4
o src: discard 3072 bytes in arc4_stir() (contributed by Codarren Velvindron)
o ports: ca_root_nss 3.30
o ports: php 7.0.17[6]
o ports: libarchive 3.3.1
o ports: ntp 4.2.8p10[7]

We are also happy to announce the availability of the renewed OPNsense 17.1
images based on this version.  Apart from the numerous improvements since
the initial release, the images have been switched to use the virtual
console driver vt(4) as a default to address boot issues.  They also feature
a new config importer and fix the serial console display of the installer.

For more than two years now, OPNsense is driving innovation through
modularising and hardening the code base, quick and reliable firmware
upgrades, multi-language support, fast adoption of upstream software
updates as well as clear and stable 2-Clause BSD licensing.

Download links, an installation guide[8] and the checksums for the images
can be found below.

o Europe: https://opnsense.c0urier.net/releases/17.1.4/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/17.1.4/
o US West Coast: http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1.4/
o Full mirror list: https://opnsense.org/download/


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/91
[2] https://github.com/opnsense/plugins/pull/103
[3] https://github.com/opnsense/plugins/pull/94
[4] http://mm.icann.org/pipermail/tz-announce/2017-March/000046.html
[5] https://hardenedbsd.org/article/shawn-webb/2016-11-27/introducing-safestack
[6] https://php.net/ChangeLog-7.php#7.0.17
[7] https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable
[8] https://docs.opnsense.org/manual/install.html

SHA256 (OPNsense-17.1.4-OpenSSL-cdrom-amd64.iso.bz2) = 911e4b343b0a7721a8c4f306ab0f84934a40d8829adb2fa808c4656a9a2ef7aa
SHA256 (OPNsense-17.1.4-OpenSSL-nano-amd64.img.bz2) = ffedac68887b5c0dd619306058471e22c8f7f81c5eb14a566b788feb1d311b16
SHA256 (OPNsense-17.1.4-OpenSSL-serial-amd64.img.bz2) = 53c270a8078f956dbc923962e82ea4bc9b95b7ed9f09f048fd7ad6c86d38c839
SHA256 (OPNsense-17.1.4-OpenSSL-vga-amd64.img.bz2) = f9914405f6ca9f0947ccc63d1dac088ec778112ee3a431d4b44d4b400f991106
SHA256 (OPNsense-17.1.4-OpenSSL-cdrom-i386.iso.bz2) = 23a60c0790848965df1b0596fcdea64fa14a67a8ed8ec9c93ca87b1bc3f6ce03
SHA256 (OPNsense-17.1.4-OpenSSL-nano-i386.img.bz2) = 4ef91cc2f341dc39e356716f6b6d1e9dd646c9a3a30a7149978c79633639bb8f
SHA256 (OPNsense-17.1.4-OpenSSL-serial-i386.img.bz2) = ead413845f83d4c112a7c7fbe79047effe78082d1530f1e5502d84d18f41dde0
SHA256 (OPNsense-17.1.4-OpenSSL-vga-i386.img.bz2) = 8c928797fa21025cbb54df4274ba3d61eb37b3978ab5ae66f843fa8c75d829e8

MD5 (OPNsense-17.1.4-OpenSSL-cdrom-amd64.iso.bz2) = 26a6110fad91b2b5105bbb1e9de2c299
MD5 (OPNsense-17.1.4-OpenSSL-nano-amd64.img.bz2) = 7fd648124a6e9b6386174572aab237a8
MD5 (OPNsense-17.1.4-OpenSSL-serial-amd64.img.bz2) = 34b3152ecde10e3869c4a3f0a0bb201d
MD5 (OPNsense-17.1.4-OpenSSL-vga-amd64.img.bz2) = 6e1563a155a8715aa73e62be4cf0d542
MD5 (OPNsense-17.1.4-OpenSSL-cdrom-i386.iso.bz2) = e2870d1b63cbca5aeead2b3148841e45
MD5 (OPNsense-17.1.4-OpenSSL-nano-i386.img.bz2) = e7942c3af773f7a991d37b1a8391a60b
MD5 (OPNsense-17.1.4-OpenSSL-serial-i386.img.bz2) = e6c3a6629a8c62d4a07d429f446f077a
MD5 (OPNsense-17.1.4-OpenSSL-vga-i386.img.bz2) = 70cdb19b808b5b5ac522d02d8db911b9
