Further info:

I dug through the package repo and found that IGMP proxy has indeed updated with 2.5.0. But when I tried reverting back to the 2.4.5 version, it didn't fix my issue, so I guess the problem is not IGMP proxy itself but the fact that pfSense fails to restart it.

I checked the system log events when the interface goes down and found that the script /etc/rc.newwanip runs automatically when it comes back up. Looking in this script, there's a function near the end to restart the IGMP proxy: services_igmpproxy_configure()

Trouble is, that function only executes when a change in IP address is found, which is never going to happen because the interfaces on both sides of the proxy have static IPs.

I've edited my script and added a couple of lines at the end to make it go ahead and do the restart whenever the interface coming up is one that's used by IPTV (opt1 is my LAN side and opt3 is the WAN side):

/* reload igmpproxy for IPTV interface */
if ($interface == "opt1" || $interface == "opt3") {
services_igmpproxy_configure();
}

This seems to be doing the job for me, but I guess it will get wiped out by a future update, and I still don't know what changed to make this workaround necessary.

@michaelschefczyk
Hi Michael,
I think you should look a little at that cipher list, or perhaps not configure it and go for the SSL/TLS Compatibility Mode: 'intermediate' ?
That should help to get TLS1.2 back available. (at least in my ssllabs-server-test)

And yes having a ECDSA cert should help to lower the overhead a bit from what ive read, having rather low traffic numbers myself ive never bothered to investigate the exact details there..
Regards PiBa-NL

@czvacko said in 2.5.0 is deleting certs needed for SSL LDAP Squid auth:

How about squidGuard ? Were there any changes in the source code ?

Please create a new topic/bugreport with this issue

Could be related to https://redmine.pfsense.org/issues/11434

@stephenw10 thank you :-)

Hi,

Updating to pfSense 2.5.0 and adding the following has enabled TLS1.3 and 1.2,

OpenSSL Version 1.1.1 installed.

ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

Screenshot from 2021-02-18 00-37-39.png

@viktor_g Thank you. You helped me so much

@viktor_g ipv4

This magically resolved itself, by adding both 443 and port 444 on the SYNC network,