 Tom here from Orange Systems. It is November 13th of 2023. And the people at Neckate have been busy. We have a new release, 23.09 of PF Sense Plus. PF Sense CE is at 2.71, which is your release candidate. Both contain the updated OpenSSL, moving them to the 3.0 series, as opposed to the unsupported 111 series of OpenSSL, a new DHCP server, and the end of squid. That's a lot to talk about, let's dive into it. Now we're gonna start with the PF Sense version 23.09, released on November 6th of 2023. I've updated several systems, they have worked perfectly fine, no problem with any of the Neckate devices we've done. Still have more to do, because we have a lot of clients running this. The major changes, OpenSSL, they have a dedicated blog post to this. The too long didn't read that our blog post is the OpenSSL version 111 has reached end of life in September of 2023. The Neckate team has rebuilt the PF Sense system to use version 3.012 for both PF Sense CE 27.1, which is a release candidate, and the 23.09. There is some confusion I've seen amongst a lot of people when I brought this up. They say, well, isn't FreeBSD supporting this because FreeBSD says it's in support? Not exactly, and that's because OpenSSL is supported by OpenSSL, and yes, there have been flaws found in the OpenSSL 111 that are on the will not be fix list because it has reached end of life. More and more projects are gonna have to move to OpenSSL 3.0 and that's where the challenge comes in. As that move will break some things depending on how dependent those things are on specifics of OpenSSL 1 that may not be the exact parity features that are in OpenSSL 3. So this can be a trivial task or a complicated task, kinda depends on all the interdependencies. The big interdependency you're gonna see though is gonna be with OpenVPN and some of the older deprecated functions. And if you have any certificates that are also built with the older deprecated security, and that means they will not work. Now, this will allow the upgrade to work but those particular things will fail telling you they are not supported anymore in the modern version of OpenSSL. So you either have to rebuild your OpenVPN or rebuild your certificates if you do the upgrade and you're using those older certificates. And before you do the upgrade, you can simply look here to see if these are the ones you have in use and read their blog post on that topic for more details. The next topic is the Kia DHCP server and it is an opt-in feature. The reason it's opt-ins because it's not feature complete yet but this is an important change because the ISC version has been deprecated. So ISC DHCP is a deprecated project but still in PF Sense and many other projects as the primary DHCP server and they are working to build feature completeness with the new Kia, which is a supported one. This comes from the internet consortium. They actually produce both of these as open source projects but they have now stopped adding updates to the ISC, the older one and now all the updates are focused on the Kia one. Well, they've done the integration but they've not completed the integration. You can easily switch between them. I've done some testing with it. It is up to you if you wanna test. This is optional and there's a blog post you can dive into on there and I'll leave you a forum post where there's some discussion about some of the bugs people are finding with it and you can continue looking at it and help them troubleshoot it so we can get that feature complete and find any of the edge cases so that can become eventually the primary DHCP server. So I wanna jump over to the release candidate of the PF Sense CE or Community Edition software to 271. You'll see it's pretty much the same. We've got the updated changes, OpenSSL and the Kia DHCP server and actually the other Arata down here is the same as well. Moving to PHP 8211 and FreeBSD 14 Current. So now they are pretty much in parity with each other the 2309 and 271. It's a release candidate as I'm making this video but I did some testing so far I didn't have any problems with it but there's still probably a few more minor bugs that might need to be closed. But there is the, of course, call for people who would like to do the testing to help do the final troubleshooting on this to get this release out. You'll find those links down below. Now let's talk about the deprecation of the squid add-on packages for PF Sense. I know this is a controversial topic but there are some unresolved vulnerabilities in squid. This is a pretty big challenge because well, squid's been around a long time and you would assume a project that is so well used by so many people and is really the underpayings of many of the commercial firewalls they may obscure that they're actually using squid that's often the same proxy of choice that they bake into their systems. This project is extremely under resourced. And that comes down to this blog post right here of 55 vulnerabilities found in squid caching proxy and 35 zero days. This goes back to 2021. And I'll leave links to this as well as you can read through here but essentially this came down to a security researcher finding a lot of problems. I tweeted about this a couple of weeks ago posted in a couple of my socials and it came down to essentially that the squid team is going, yeah, those are a lot of security vulnerabilities. We don't have the resources to patch them all. So this person says, well, we'll just post them because they're gonna get found and if we make them discoverable by more people people will make decisions like that gate has to go, well, we probably shouldn't use this project. I'm hoping some decision gets made that this project gets more support and resources but that doesn't really seem to be the case that has happened so far. So with all these different problems and they're outlined in here the different types of vulnerabilities. And unfortunately what this came down to is the squid team have been helpful and supportive during the process of reporting these issues. However, they are effectively understaffed and simply do not have the resources to fix the discovered issues. While the future of squid may not be completely clear I'm also not clear on the future of doing intercept with the firewall and putting certificates in. So each one of these systems that are connecting trust the firewall as another intermediary between that and the server that they're connecting to just so you can intercept the traffic. If you have a proper TLS 1.3 implementation with perfect forward secrecy that even makes things more complicated and with some of the push for encrypted hello for example now you're making it even more challenging and I'm seeing those type of tools really have some struggles with that including a lot of them recommend disabling the QIC protocol which means you a well less great internet experience. Also for caching it's not as necessary here in 2023 unless you're somewhere that has well still has dial up I know still dial up still exists here to some extent but I don't know how many people have dial up and would actually benefit that much from a squid proxy and the dynamic nature of many of the things on the web doesn't lend it very well to squid caching those things as effectively as it did when I set one up 20 years ago. Love hearing from you leave your thoughts and comments down below thoughts, questions, comments, concerns and all that around all these different updates let me know if you've upgraded to the latest version of PF cents plus or if you're on the release candidate or maybe when you're watching this video the release candidates turned into the full version leave that down below too which one you're going with always curious like and subscribe if you want to see more content from his channel and head over to lornsystems.com to connect with me on whatever socials you can find me on when you go there. Thanks.