Now Available: pfSense Plus 25.11.1
-
pfSense
Plus software, the world’s leading firewall, router, and VPN solution, provides secure network edge and cloud networking solutions for millions of deployments worldwide.Netgate
announces the release of pfSense Plus software version 25.11.1. This maintenance software release contains over 26 fixes and improvements. All pfSense Plus users are encouraged to upgrade to this new version.Key fixes and enhancements include:
- TLS Server Certificate Lifetime Lowered
- IPv6 Connection behavior with TSO enabled
- Vulnerability for rtsold in FreeBSD addressed
- Netgate 2100 LAN port improvements
Additional areas of improvement include:
- Aliases
- Backup/Restore
- Captive Portal
- DHCP
- DNS Resolver
- Gateway Monitor
- IPv6 Router Advertisements
- Package System
- Routing
- Firewall Rules/NAT
Please see Release Notes for a more complete list of each fix and enhancement.
Note: New installations of pfSense Plus 25.11.1 require the Netgate Installer version 1.1.1, available for download here.
Read the blog here:
https://www.netgate.com/blog/netgate-releases-pfsense-plus-software-version-25.11.1Release Notes here:
https://docs.netgate.com/pfsense/en/latest/releases/25-11-1.html -
P pfGeorge pinned this topic on
-
S SteveITS referenced this topic on
-
"Allow packages to preserve RAM disk data between boots"
Yay :)
-
C chudak referenced this topic on
-
Hello, I did the upgrade & I have a 2100. So far, all is good. Thanks to the Team!
-
Netgate SG-4100 upgraded from 25.11, 2 min downtime only.
Looking good so far.
-
Unfortunately pppoe on virtualised environments is not fixed.
Had to disable lan card checksums again for this to work.
https://redmine.pfsense.org/issues/16638 -
Not really understanding the lowering of the days for certs.. The lowering of how long a cert can be valid for is for public CAs, not private stand alone CAs - which is what you would create when you create a CA in pfsense and then sign certs, and you trust that CA.
I have certs for 10 years, and no browser I have tested these with complains. And it is not some grandfathered sort of limit, because create a new CA and new certs and browsers all just happy with them, not complaint about length of validity
Pretty sure these limits of how long a cert is valid for is only on public CAs - so not really understanding why the default in Cert manger should be lowered.
https://chromium.googlesource.com/chromium/src/+/master/net/docs/certificate_lifetimes.md#upcoming-changes
This will only apply to TLS server certificates from CAs that are trusted in a default installation of Google Chrome, commonly known as “publicly trusted CAs”, and will not apply to locally-operated CAs that have been manually configured.https://support.apple.com/en-us/102028
This change will not affect certificates issued from user-added or administrator-added Root CAs.An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 26.03 | Lab VMs 2.8.1, 26.03 -
@johnpoz said in Now Available: pfSense Plus 25.11.1:
Not really understanding the lowering of the days for certs.. The lowering of how long a cert can be valid for is for public CAs, not private stand alone CAs - which is what you would create when you create a CA in pfsense and then sign certs, and you trust that CA.
It's what is recommended in the baseline TLS server certificate requirements and it isn't a forced requirement, just a recommendation in the GUI, so there is no reason not to honor it. However, it does affect some personal certificates as we had reports of failures (usually from people on Apple devices) in the past. Maybe they've changed their behavior somewhat, but as this is security software, we should err on the side of security.
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@johnpoz said in Now Available: pfSense Plus 25.11.1:
Not really understanding the lowering of the days for certs.
Good news : Letsencrypt now offers certs with a 'IP' SAN.
Bad news : Max lifetime 6 days
-
At 47 days would it make sense for pfSense to have a "auto-renew this self signed cert" option?
-
@SteveITS said in Now Available: pfSense Plus 25.11.1:
At 47 days would it make sense for pfSense to have a "auto-renew this self signed cert" option?
Yes, and it's already implemented for the next release:
-
@jimp true - but sure not going to update the cert on my nas that is only available locally by my trusted clients, etc every X days ;) And really only reason it has a cert is because browser complains if not https.. Otherwise I have zero use for my client talking to my server on my secure local network ;)
But very valid point about following guidelines and true only a suggestion.
-
@johnpoz said in Now Available: pfSense Plus 25.11.1:
I have certs for 10 years, and no browser I have tested these with complains. And it is not some grandfathered sort of limit, because create a new CA and new certs and browsers all just happy with them, not complaint about length of validity
Pretty sure these limits of how long a cert is valid for is only on public CAs - so not really understanding why the default in Cert manger should be lowered.
I raised this in the Redmine. I've also not seen issue with multi-year certs.
The one potential issue that I am aware of is with Safari, where it has been reported by others that there is a hard limit of 825 days for private CAs that went into effect around the time that the one year requirement for public CAs went it. I've not experienced this myself however. Have you tested with Safari?
-
Does this release include the BXE driver that was missing in 25.11?
-
@dennypage only thing I have safari on is iphone and ipad.. I just tried loading pfsense gui with it - it does complain, but doesn't list validity dates as the issue. I will spin up some certs to see if really the 825 day limit
edit: ok safari sucks that is clear.. So yeah doesn't like a cert set for 850 days, but fine with one for 1 year.. I will try one at 824 days..
-
@johnpoz said in Now Available: pfSense Plus 25.11.1:
@dennypage only thing I have safari on is iphone and ipad.. I just tried loading pfsense gui with it - it does complain, but doesn't list validity dates as the issue. I will spin up some certs to see if really the 825 day limit
edit: ok safari sucks that is clear.. So yeah doesn't like a cert set for 850 days, but fine with one for 1 year.. I will try one at 824 days..
-
@dennypage yeah likes 824 days, balks at 850 days.. uggh - another reason no to use safari it seems.. Add that to the long list already not to use it ;)
If your going to say this cert is not good because its validity dates do not meet criteria X then why not just say that.
-
Yeah, that's in line with things we've seen as well, and since both Apple and the CA/Browser forum seem to like doing whatever they feel like (or Apple tells them what to do), we also err on the side of recommending people follow the baseline requirements even if they aren't strictly applied to private entries yet.
But if you know what you're doing works for you on your own infrastructure and clients, feel free to ignore those warnings and do whatever you prefer.
That said, once we have auto-renew in place, for most things like OpenVPN servers there isn't much reason not to use a lower lifetime since it will be something you can set and pretty much forget. You don't need to redistribute the server cert itself.
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@jimp all good info for sure.. But not sure how could automate putting cert on say my old cisco switches.. Or other 3rd party things like my unifi controller.. Unless they support say acme, and could point it to pfsense for the certs?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 26.03 | Lab VMs 2.8.1, 26.03 -
@johnpoz There are various automation utilities out there that handle those sorts of tasks (Salt, ansible, etc.). Might even be some reusable deploy shell scripts in repos like acme.sh.
If they support ACME and custom services, you could setup your own StepCA instance and issue your own that way. It's much easier than I expected, I did it when adding custom ACME server support into the package.
I have my lab stuff using ACME where possible, and since I have a domain just for my lab I just use actual LE certs for nearly everything.
-
Upgraded several 8300 and 6100 , no issues .
