19.1 “Inspiring Iguana” Series

For more than four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

The 19.1 release, nicknamed “Inspiring Iguana”, consists of a total of 620 individual changes since 18.7 came out 6 months ago, spread out over 12 intermediate releases including the recent release candidates. That is the average of 2 stable releases per month, security updates and important bug fixes included! If we had to pick a few highlights it would be: The firewall alias API is finally in place. The migration to HardenedBSD 11.2 has been completed. 2FA now works with a remote LDAP / local TOTP combination. And the OpenVPN client export was rewritten for full API support as well.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

19.1.10 (July 03, 2019)

Small update as we are nearing the end of the 19.1 series. Yes, it is that time of the year again with a release candidate only a few days away and a final release date set to July 17.

Here are the full patch notes:

  • system: change certificate manager actions to POST

  • system: fix account removal with missing “-g” option

  • system: add dashboard widgets to XMLRPC sync

  • firewall: fix live log rule label mismatch caused by optimisation

  • firewall: fix alias import with alias references included

  • firewall: change default sorting of aliases to names

  • firmware: add homelab.no mirror (contributed by Thomas Jensen)

  • intrusion detection: when toggling rules keep the current action

  • intrusion detection: suppress mystery PHP 7.2+ warning in API

  • intrusion detection: show SID in alert view

  • web proxy: add cache reset button

  • web proxy: correct syslog export

  • plugins: os-dyndns 1.6 DigitalOcean support (contributed by Dune Heishman)

  • plugins: os-etpro-telemetry Python 3 support

  • plugins: os-frr 1.11 [1]

  • plugins: os-nginx 1.14 [2]

  • plugins: os-rspamd 1.7 [3]

  • plugins: os-tinc Python 3 support

  • ports: ca_root_nss 3.44.1

  • ports: curl 7.65.1 [4]

  • ports: libevent 2.1.10 [5]

  • ports: libxml 2.9.9 [6]

  • ports: libressl 2.9.2 [7] [8]

  • ports: phalcon 3.4.4 [9]

  • ports: strongswan 5.8.0 [10]

  • ports: unbound 1.9.2 [11]

A hotfix release was issued as 19.1.10_1:

  • firmware: enable upgrade path to 19.7

19.1.9 (June 06, 2019)

Small 19.1 series update mainly focusing on LDAP group synchronisation and assorted OpenVPN improvements. Two regressions of previous versions have been fixed as well.

Here are the full patch notes:

  • system: add LDAP group synchronisation feature

  • system: allow an arbitrary group for sudo like ssh login

  • system: stop using a lock around resolv.conf handling

  • system: rename a number of service-related functions

  • system: login not using cache-safe image yet

  • system: add pluginctl -s support

  • system: restyle config backup page

  • system: fix log split view regression of 19.1.8

  • interfaces: remove DHCPv6 on delete and clear config on IPsec assignment

  • interfaces: small VIP restructure and IPv6 alias to IPv6 device

  • interfaces: subtle changes in IPv6 and variable naming

  • interfaces: add missing does_interface_exist() checks

  • firewall: support multiple interfaces per NAT port forward rule

  • captive portal: use “onestop” to stop service

  • intrusion detection: missing header ID in alerts tab

  • ipsec: remove remnants of gateway group interface selection

  • ipsec: use indirect plugin calls in interface code

  • openvpn: add live-search to longer lists in server page

  • openvpn: support –cryptoapicert export (sponsored by m.a.x. it [1] )

  • opnevpn: correctly check for translation in get_carp_interface_status()

  • openvpn: use waitforpid() to properly wait for instanes to come up

  • openvpn: translate GUI error values when returning them

  • openvpn: revamp status page

  • unbound: leases watcher file rotation issue

  • web proxy: squid log in readable date format (contributed by nhirokinet)

  • web proxy: fix non-local authentication regression of 19.1.7

  • plugins: os-bind 1.5 [2]

  • plugins: os-clamav 1.7 [3]

  • plugins: os-dnscrypt-proxy 1.4 [4]

  • plugins: os-dyndns clouldflare wildcard domain support

  • plugins: os-nginx 1.13 [5]

  • plugins: os-openconnect 1.4.0 [6]

  • plugins: os-redis 1.1 [7]

  • plugins: os-rspamd 1.6 [8]

  • plugins: os-theme-cicada 1.18 (contributed by Team Rebellion)

  • plugins: os-theme-tukan 1.18 (contributed by Team Rebellion)

  • ports: curl 7.65.0 [9]

  • ports: lighttpd 1.4.54 [10]

  • ports: python 3.7.3 [11]

  • ports: openssl 1.0.2s [12]

  • ports: php 7.2.19 [13]

19.1.8 (May 20, 2019)

This update addresses several privilege escalation issues in the access control implementation and new memory disclosure issues in Intel CPUs. We would like to thank Arnaud Cordier and Bill Marquette for the top-notch reports and coordination.

Here are the full patch notes:

  • system: address CVE-2019-11816 privilege escalation bugs [1] (reported by Arnaud Cordier)

  • system: /etc/hosts generation without interface_has_gateway()

  • system: show correct timestamp in config restore save message (contributed by nhirokinet)

  • system: list the commands for the pluginctl utility when no argument is given

  • system: introduce and use userIsAdmin() helper function instead of checking for “page-all” privilege directly

  • system: use absolute path in widget ACLs (reported by Netgate)

  • system: RRD-related cleanups for less code exposure

  • interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)

  • interfaces: replace legacy_getall_interface_addresses() usage

  • firewall: fix port validation in aliases with leading / trailing spaces

  • firewall: fix outbound NAT translation display in overview page

  • firewall: prevent CARP outgoing packets from using the configured gateway

  • firewall: use CARP net.inet.carp.demotion to control current demotion in status page

  • firewall: stop live log poller on error result

  • dhcp: change rule priority to 1 to avoid IPv6 bogon clash

  • dnsmasq: only admins may edit custom options field

  • firmware: use insecure mode for base and kernel sets when package fingerprints are disabled

  • firmware: add optional device support for base and kernel sets

  • firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)

  • ipsec: always reset rightallowany to default when writing configuration

  • lang: say “hola” to Spanish as the newest available GUI language

  • lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese

  • network time: only admins may edit custom options field

  • openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposure

  • openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette)

  • openvpn: remove custom options field from wizard

  • unbound: only admins may edit custom options field

  • wizard: translate typehint as well

  • plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86)

  • plugins: os-nginx 1.12 [2]

  • plugins: os-theme-cicada 1.17 (contributed by Team Rebellion)

  • plugins: os-theme-tukan 1.17 (contributed by Team Rebellion)

  • src: timezone database information update [3]

  • src: install(1) broken with partially matching relative paths [4]

  • src: microarchitectural Data Sampling (MDS) mitigation [5]

  • ports: ca_root_nss 3.44

  • ports: php 7.2.18 [6]

  • ports: sqlite 3.28.0 [7]

  • ports: strongswan custom XAuth generic patch removed

19.1.7 (May 02, 2019)

This update features a number of improvements such as link-local support for bridges, HA sync consolidation, adding local CAs to the trusted SSL certificates for most of the system download capabilities, plugin-based PAM authentication rework for IPsec and the web proxy as well as third party fixes for hostapd / wpa_supplicant 2.8 and Suricata 4.1.4.

Python 3 migration is also underway now which requires to pull in both Python versions which may be heavy on embedded Nano installs, but we cannot see another way for this tedious task which will probably stretch into 19.7 to be fully carried out in 20.1.

And speaking of 20.1: This is the first of many reminders that 20.1 will discontinue the i386 (Intel 32 Bit) franchise as discussed a number of times within the community over the years. Our hope is that ARM64 will make a viable replacement. But that is for another time.

As you may have noticed the project has not been delivering releases every other week and there are a number of reasons for it:

Security-wise we have not had a lot of necessary third-party software updates. Feature-wise we are sitting on a number of improvements for the upcoming 19.7 series that will trickle into 19.1.x now, but that have also required larger preparations and testing in the meantime. On the community side of the spectrum, sponsored by our partner m.a.x. it, we have started to work on better default gateway switching which led to an overall gateway integration rework and then quickly to interface handling restructuring, which in turn led to improving plugin capabilities of core services (OpenVPN, IPsec, Unbound, Dnsmasq, DHCPD, Dpinger). Looking at it now it has been the largest rework so far on code established many years ago and only occasionally patched. We hope this shows our dedication to the code base even when things are not always 100% bug free. If you feel like pitching in now is a good time to try the development version and let us know about how it performs.

Without further ado, here are the full patch notes:

  • system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services)

  • system: support for syncing alias and VHID to the slave

  • system: cleanly rewrite CA root files and add local trusted CAs as well

  • system: disable backup cron job when no backup is enabled

  • system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri)

  • system: migrate health graph scripts to Python 3.6

  • interfaces: properly add and remove IPv6 trackers after interface apply

  • interfaces: validate prefix ID of IPv6 trackers so that each ID is unique

  • interfaces: display “0x” in prefix ID field so that it is clear that value is in hex

  • interfaces: fix passing VLAN name in interface_virtual_create()

  • interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characters

  • interfaces: allow link-local address on bridges via optional setting

  • interfaces: PPP-related code cleanups

  • firewall: prevent double-escaping of text in rules page

  • firewall: handle IDNA encode failures in aliases

  • firewall: alias import / export option

  • captive portal: update to bootstrap 3.4.1

  • captive portal: fix a race in directory creation and listClients()

  • dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner)

  • dhcp: merge static mac addresses with leases

  • dhcp: prevent double-escaping of text in leases page

  • firmware: add private log file for major upgrade package install step

  • firmware: use a safer major upgrade package install mode

  • firmware: retain /etc/motd on base updates

  • ipsec: implemented wildcard includes (contributed by Mark Plomer)

  • ipsec: only apply mobile PFS to mobile phase 2

  • ipsec: restyle mobile settings a little

  • ipsec: switch XAuth to PAM

  • ipsec: partial fix for static routes on routed tunnels during boot

  • network time: reload RRD since NTP has a setting for it

  • web proxy: fix PAC weekday match labels (contributed by Mohammed Sadiq)

  • web proxy: switch authentication to PAM

  • backend: treat non existing key as empty string in sortDictList()

  • mvc: pluggable PAM-based authentication framework

  • mvc: add filter closure to searchBase()

  • plugins: introduce plugins_run() for collecting structured data from plugins

  • plugins: os-clamav 1.6 [1]

  • plugins: os-dyndns 1.5 fixes CloudFlare zone ID lookup behaviour (contributed by George Johnson)

  • plugins: os-frr 1.10 [2]

  • plugins: os-netdata 1.0 (contributed by Michael Muenz)

  • plugins: os-nginx 1.11_2 fixes ACME support (contributed by Frank Wall)

  • plugins: os-rfc2136 1.5 removes unused gateway group related code

  • src: move invoking of callout_stop(&lle->lle_timer) into llentry_free()

  • src: ensure that IP addresses match in ICMP error packets in pf(4)

  • src: add bsdinstall utility for upcoming 19.7 installer replacement

  • ports: dhcp6c 20190419 fixes raw options segfaults (contributed by Franck78)

  • ports: hostapd / wpa_supplicant 2.8 [3]

  • ports: perl 5.28.2 [4]

  • ports: py-yaml 5.1 [5]

  • ports: suricata 4.1.4 [6]

  • ports: sqlite 3.27.2 [7]

19.1.6 (April 11, 2019)

This update brings a smaller number of fixes and improvements as well as the latest PHP version update.

With a heavy heart we disable E_WARNING messages in the PHP error reporting. It has been implemented in 2015 to improve code quality and it did just that, but with the latest PHP 7.2 jump in 19.1.5 it causes problems around the newly added count() usage warning messages. We plan to bring back E_WARNING usage in 19.7.

Here are the full patch notes:

  • system: let dashboard only accept its own POST requests

  • system: remove obsolete symlink to opnsense-auth

  • system: skip PHP E_WARNING log level until 19.7

  • system: numerous PHP 7.2 warning fixes

  • dhcp: DHCPD server check in relay only if interface is active

  • dnsmasq: skip empty custom options

  • intrusion prevention: do not drop flowbits:noalert rules

  • unbound: add ACL entries for OpenVPN by default

  • mvc: controller cleanups in firewall shaper, web proxy and captive portal

  • plugins: numerous PHP 7.2 warning fixes

  • plugins: os-freeradius 1.9.2 fixes LDAP group filter and EAP certificates write (contributed by Alexander Harm)

  • plugins: os-nginx 1.11 [1]

  • ports: php 7.2.17 [2]

  • ports: py-certifi 2019.3.9 [3]

19.1.5 (April 05, 2019)

After a longer pause we are back with considerable upgrades for IPsec, a new CSR feature for local CAs, PHP 7.2 migration and a number of other considerable third party updates.

These are the full patch notes:

  • system: improve gateway status return when monitoring is off

  • system: warn user about future deprecation of “user-config-readonly” privilege

  • system: support certificate signing requests (contributed by nhirokinet)

  • system: syslog does not need to do a background startup since it backgrounds itself

  • system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz)

  • system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri)

  • interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys)

  • interfaces: take all unknown arguments as real interfaces in interfaces_addresses()

  • interfaces: optionally allow interfaces_addresses() to emit subnets instead of addresses

  • interfaces: move mpd.script to new location (may require interface reconfigure)

  • firewall: proper locking of aliases before config action on delete

  • firewall: correctly set outbound NAT destination as network

  • firewall: add support for DSCP in shaper (contributed by Michael Muenz)

  • firewall: add support for IDN in aliases (contributed by Smart-Soft)

  • captive portal: allow access to this host (contributed by Fredrik Ronnvall)

  • firmware: fix parsing of packages in multi-repo env and revoked fingerprint message

  • firmware: add University of Kent to the firmware mirrors

  • ipsec: only use explicit reqid when using route-based interfaces

  • ipsec: correctly set install policy option on newly created phase 1 entries

  • ipsec: improve split DNS and INTERNAL_DNS_DOMAIN configuration

  • ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin)

  • ipsec: properly quote UNITY_BANNER for multi-line support

  • ipsec: support for dynamic remote gateways

  • monit: add migration/validation for service/test type dependency (contributed by Frank Brendel)

  • monit: added missing “not on” label

  • openvpn: support static-challenge formatted password

  • openvpn: properly load custom config field in exporter

  • openvpn: cleanups in listening address handling

  • web proxy: IP address not available when address set to none

  • web proxy: add sortable support for PAC proxy lists (contributed by Fabian Franz)

  • web proxy: add dash to allowed characters in description (contributed by Fabian Franz)

  • backend: python 2->3 iteritems() conversion in core templates

  • mvc: migrate config backup rotation to handle static and MVC pages (contributed by Smart-Soft)

  • mvc: controller cleanups in cron, intrusion detection, routes

  • mvc: obey “user-config-readonly” privilege in mutable controllers

  • mvc: support overlays in setBase() / addBase()

  • ui: remove jquery-bootgrid converters which are now included in the library

  • plugins: os-acmle-client 1.23 [1] [2] [3]

  • plugins: os-dyndns 1.14 supports wildcards for Google Domains

  • plugins: os-etpro-telemetry 1.3 uses HOME_NET to anonymization

  • plugins: os-freeradius 19.1.0 [4]

  • plugins: os-frr 1.9 [5]

  • plugins: os-nginx 1.10 [6]

  • plugins: os-postfix 1.9 [7]

  • plugins: os-rspamd 1.5 [8]

  • plugins: os-telegraf 1.7.5 [9]

  • plugins: os-theme-cicada 1.15 (contributed by Team Rebellion)

  • plugins: os-theme-tukan 1.14 (contributed by Team Rebellion)

  • plugins: os-zabbix-agent 1.5 [10]

  • ports: ca_root_nss 3.43

  • ports: curl 7.64.1

  • ports: libucl 0.8.1

  • ports: pcre 8.43

  • ports: php 7.2.16

  • ports: py-cryptography 2.6.1

  • ports: phpseclib 2.0.15

  • ports: python 2.7.16

  • ports: unbound 1.9.1

A hotfix release was issued as 19.1.5_1:

  • mvc: sync missing hasPrivilege()

19.1.4 (March 12, 2019)

An UEFI boot panic scenario was debugged last week with the help of the community. This update includes a fix that will allow the ones affected by this 19.1 issue to upgrade or install (and boot of course) correctly. We are also including the IPsec VTI support and the latest Suricata 4.1.3 with stability and compatibility fixes.

Due to the severity of the UEFI boot panic 19.1.4 will be the new initial release for all upgrades from 18.7 within a day or two depending on additional testing and confirmation. Last but not least there will be new images some time next week to put this fully behind us. Thank you for your patience and understanding. :)

Special thanks go to the team of Synacktiv for reporting a packet filter IPv6 vulnerability for which a patch was included as well.

Here are the full patch notes:

  • system: remove erroneously translated hostname example (contributed by nhirokinet)

  • firewall: fix validation regression in outbound NAT introduced in 19.1.3

  • firewall: mock labels for NAT rules in live log as pf does not offer label support

  • interfaces: do not background LAGG ifconfig destroy

  • installer: revert to use network connection to allow CTRL+C and resume

  • ipsec: added Virtual Tunnel Interface (VTI) support

  • unbound: fix nested statistics items read

  • mvc: remove old Phalcon volt template workarounds from when scopes were broken

  • mvc: fix bug in model relation field values merge

  • plugins: os-zabbix4-proxy PSK directory fix (contributed by Michael Muenz)

  • plugins: os-telegraf missed invoke of setup.sh

  • plugins: os-frr adds validator to OSPF prefix lists (contributed by Michael Muenz)

  • plugins: os-dmidecode 1.1 fixes data parsing (contributed by Smart-Soft)

  • plugins: os-nginx 1.9 [1]

  • src: do not pass pf(4) IPv6 fragments with malformed extension headers (reported by Synacktiv)

  • src: revert upstream commit “protect the kernel text, data, and BSS” to fix certain UEFI boots

  • ports: monit 5.25.3 [2]

  • ports: ntp 4.2.8p13 [3]

  • ports: php 7.1.27 [4]

  • ports: suricata 4.1.3 [5]

The full list of changes of the OPNsense 19.1 series can be reviewed using their original announcements:

We would also like to use this opportunity to remind everyone that OPNsense is and always will be free software. All of its source code and associated build tools can be found here:

https://github.com/opnsense

Download links, an installation guide [6] and the checksums for the images can be found below as well.

The public key for the 19.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
# ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
# QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
# GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
# pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
# Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
# NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
# 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
# Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
# Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
# C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
# zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-19.1.4-OpenSSL-dvd-amd64.iso.bz2) = 5f2e64797fce03d4d47050894c38e8e176fda6281009abd36f60d788d3e29d42
# SHA256 (OPNsense-19.1.4-OpenSSL-nano-amd64.img.bz2) = ee5171fb837884fffd29c6e75cb089dc4020fb89459143bd9e7b859b1da3fd89
# SHA256 (OPNsense-19.1.4-OpenSSL-serial-amd64.img.bz2) = 07868978903220bf9dee26c936d25140df07ec9c02cb8c480bd8619e69c562a0
# SHA256 (OPNsense-19.1.4-OpenSSL-vga-amd64.img.bz2) = e473bc645778c95596639056ecc8ef92a12a7fd1cdc52cd0b1f6294a64561311
# SHA256 (OPNsense-19.1.4-OpenSSL-dvd-i386.iso.bz2) = 9f40b591c27d90a86c60ec0b539f228999953f947573e2e575c2936c3993d7c0
# SHA256 (OPNsense-19.1.4-OpenSSL-nano-i386.img.bz2) = c624d50b19f2ae4d471076c53f5c516e3a523ff41b69d0bfa779b5fff6415f81
# SHA256 (OPNsense-19.1.4-OpenSSL-serial-i386.img.bz2) = 62bff974ae4238dfc2e830a32fbf4bd357ff418d15be99b89ac129f839e10eaf
# SHA256 (OPNsense-19.1.4-OpenSSL-vga-i386.img.bz2) = ca893277a02b93129e6a30125107f7ad4fc01673b722f54ce6e5cb7eb438cae4

19.1.3 (March 07, 2019)

This is a smaller stable update consisting of LDAPS authentication server improvements, Unbound host overrides alias support, OpenSSL 1.0.2r security update and the recent PAM rework for better privilege separation.

We are currently focusing on IPsec VTI, third-party service PAM integration and investigating kernel boot crashes. In the latter case we are aware of the update issues some people are having and recommend running 18.7 until this is taken care of. Above all, please be patient. New images and seamless upgrade paths will be provided as soon as the problems have been pinned down.

Here are the full patch notes:

  • system: improve LDAPS mode and related authentication cleanups

  • system: move enable checkbox to the top in remote logging settings

  • system: allow reset of tunables to to factory defaults

  • system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1)

  • firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall)

  • interfaces: probe media before applying new settings

  • interfaces: correctly compare MAC addresses

  • dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner)

  • firmware: move duty to return the correct set name / ID to opnsense-version

  • firmware: finally revoke 18.7 fingerprint

  • intrusion detection: minor template cleanups using helpers.empty()

  • ipsec: peer identifier can now fall back to remote-gateway in manual SPD entries

  • ipsec: allow easier override of colours in widget (contributed by Fabian Franz)

  • monit: add validation for test type (contributed by Frank Brendel)

  • openvpn: add auth-nocache option in exporter

  • openvpn: validate certificate type for servers

  • unbound: add host overrides alias support

  • web proxy: add auth to parent proxy (contributed by Michael Muenz)

  • backend: add helpers.empty() in configd

  • mvc: simplify save / close / cancel button labels

  • mvc: add sorting for field list types

  • rc: move all template generation to early stage

  • ui: improve escaping of displayed data in static pages

  • ui: escape button values in static pages

  • ui: avoid short PHP tags

  • plugins: os-dnscrypt-proxy 1.3 [1]

  • plugins: os-frr brings in missing area range code [2]

  • plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz)

  • plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion)

  • plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion)

  • plugins: os-vnstat /var MFS fix [3]

  • plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz)

  • ports: openssl 1.0.2r [4]

  • ports: pam_opnsense 19.1.3 uses setuid for privilege separation

  • ports: phalcon 3.4.3 [5]

19.1.2 (February 28, 2019)

This update is the sum of a few weeks of intense testing and debugging in areas such as WAN DHCP with very short lease times, Suricata IPS not working as expected, stacked 6RD setups that have overly long device names amongst others.

The update may be a bit bumpy this time since the web GUI session directory will be moved to a safer location. You will be logged out during the update and the system will reboot due to the included operating system update. As soon as it is back you will be able to log in as usual.

LibreSSL received a major upgrade from 2.7 to 2.8. If you are using LibreSSL and see any issues please do let us know because it sadly looks like third party projects such as OpenVPN, Squid, StrongSwan and NTP leave the use of LibreSSL to the few users who are able to fix the source code builds on their own and we want to ideally avoid having to patch third party software.

Here are the full patch notes:

  • system: move session files into their own directory (forces the current sessions to expire)

  • system: add validation check for time period for Dpinger (contributed by Team Rebellion)

  • system: hide “show certificate info” button of pending CSR (contributed by nhirokinet)

  • system: move opnsense-auth to libexec, but keep a symlink in sbin directory

  • system: escaping issue in gateway edit page

  • system: fix ACL for halt and reboot pages

  • firewall: fix alias entry replacement in utility page

  • firewall: prevent new alias creation when adding an address

  • firewall: capture “nat” traffic like we do for “rdr” in live log

  • firewall: escaping issues in schedule edit page

  • interfaces: push dhclient and dhcp6c log messages to system log

  • interfaces: write all nameservers via dhclient-script in multi WAN scenarios

  • interfaces: check for valid alias IP in dhclient-script

  • interfaces: 6RD interface naming back to 18.7 to sidestep character limits on stacked setups

  • interfaces: avoid reading empty interface configurations

  • firmware: bootstrap rework for HTTPS repository URL

  • firmware: patch cache and assorted improvements

  • firmware: minor update utility cleanups

  • firmware: remove compatibility stubs for pre-19.1 version reads

  • firmware: show revoked package mirror error in GUI if applicable

  • firmware: bump RageNetwork mirror to HTTPS

  • firmware: be more careful about parsing version info

  • dhcp: fix behaviour of determining primary/secondary (contributed by Fredrik Ronnvall)

  • intrusion detection: set stream.inline: true as an IPS workaround for a Suricata 4.1 regression [1]

  • intrusion detection: support required rules/files in metadata package

  • intrusion detection: less extensive logging

  • ipsec: fix escaping issue in mobile page

  • monit: fix address validation

  • openvpn: obey verify-x509-name for remote access (user auth)

  • openvpn: proper daemonize instead of background job

  • openvpn: extract full CA chain for setup

  • openvpn: missing “port” in protocol export

  • mvc: fix port validation on whitespace input

  • mvc: fix compare constraint (contributed by Fabian Franz)

  • mvc: fix read-only access on config.xml during locked runs

  • mvc: prevent UserException from being pushed to PHP error log

  • ui: legacy browsers accommodation (contributed by NOYB)

  • ui: update to Tokenize2 1.3 plus additional escaping patches

  • ui: add support for Tokenize2 sortable tag

  • ui: hardening of gettext() invokes in HTML tags

  • ui: fix setFormData() HTML decode

  • plugins: os-bind safe search google domain updates (contributed by Michael Muenz)

  • plugins: os-dnscrypt-proxy 1.2 [2]

  • plugins: os-dyndns 1.13 IPv6 device lookup fix

  • plugins: os-etpro-telemetry 1.2 reduces telemetry data collection

  • plugins: os-frr 1.8 adds route summarization via area range (contributed by Michael Muenz)

  • plugins: os-haproxy 2.15 [3] [4]

  • plugins: os-nginx 1.8 [5]

  • plugins: os-ntopng 1.2 [6]

  • src: clear callee-preserved registers on amd64 syscall exit [7]

  • ports: cpdup 1.20

  • ports: curl 7.64.0 [8]

  • ports: libressl 2.8.3 [9]

  • ports: openvpn 2.4.7 [10]

  • ports: pam_opnsense manual page addition

  • ports: sqlite 3.27.1 [11]

  • ports: squid forgery check avoidance [12]

  • ports: strongswan 5.7.2 [13]

  • ports: unbound 1.9.0 [14]

19.1.1 (February 05, 2019)

This is a security and reliability release: WAN DHCP will no longer trust the server MTU given. Uncoordinated cross site scripting issues have been fixed. And the Python request library was patched due to CVE 2018-18074.

Here are the full patch notes:

  • system: address XSS-prone escaping issues [1]

  • firewall: add port range validation to shaper inputs

  • firewall: drop description validation constraints

  • interfaces: DHCP override MTU option (contributed by Team Rebellion)

  • interfaces: properly configure SIM PIN on custom modems

  • reporting: prevent cleanup from deleting current data when future data exists

  • ipsec: allow same local subnet if used in different phase 1 (contributed by Max Weller)

  • openvpn: multiple client export fixes

  • web proxy: add ESD files to Windows cache option (contributed by R-Adrian)

  • plugins: os-acme-client 1.20 [2]

  • plugins: os-dyndns fix for themed colours (contributed by Team Rebellion)

  • plugins: os-etpro-telemetry 1.1 adds random delay to telemetry data send

  • plugins: os-nginx 1.7 [3]

  • plugins: os-rspamd reads DKIM keys via Redis (contributed by Garrod Alwood)

  • plugins: os-theme-cicada 1.14 (contributed by Team Rebellion)

  • plugins: os-theme-tukan 1.13 (contributed by Team Rebellion)

  • ports: ca_root_nss 3.42.1

  • ports: lighttpd 1.4.53 [4]

  • ports: py-request 2.21.0 [5]

19.1 (January 31, 2019)

For more than four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

The 19.1 release, nicknamed “Inspiring Iguana”, consists of a total of 620 individual changes since 18.7 came out 6 months ago, spread out over 12 intermediate releases including the recent release candidates. That is the average of 2 stable releases per month, security updates and important bug fixes included! If we had to pick a few highlights it would be: The firewall alias API is finally in place. The migration to HardenedBSD 11.2 has been completed. 2FA now works with a remote LDAP / local TOTP combination. And the OpenVPN client export was rewritten for full API support as well.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

These are the most prominent changes since version 18.7:

  • fully functional firewall alias API

  • PIE firewall shaper support

  • firewall NAT rule logging support

  • 2FA via LDAP-TOTP combination

  • WPAD / PAC and parent proxy support in the web proxy

  • P12 certificate export with custom passwords

  • Dpinger is now the default gateway monitor

  • ET Pro Telemetry edition plugin [2]

  • extended IPv6 DUID support

  • Dnsmasq DNSSEC support

  • OpenVPN client export API

  • Realtek NIC driver version 1.95

  • HardenedBSD 11.2, LibreSSL 2.7

  • Unbound 1.8, Suricata 4.1

  • Phalcon 3.4, Perl 5.28

  • firmware health check extended to cover all OS files, HTTPS mirror default

  • updates are browser cache-safe regarding CSS and JavaScript assets

  • collapsible side bar menu in the default theme

  • language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian

  • new plugins for API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat, Dnscrypt-proxy

Here are the full changes against version 19.1-RC2:

  • ipsec: add firewall interface as soon as phase 1 is enabled

  • ipsec: phase 1 selection GUI JavaScript compatibility fix

  • monit: widget improvements and bug fix (contributed by Frank Brendel)

  • ui: fix regression in single host or network subnet select in static pages

  • plugins: os-frr 1.7 updates OSPF outbound rules (contributed by Fabian Franz)

  • plugins: os-telegraf 1.7.4 fixes packet filter input

  • plugins: os-theme-rebellion 1.8.2 adds image colour invert

  • plugins: os-vnstat 1.1 [3]

  • plugins: os-zabbix-agent now uses Zabbix version 4.0

  • src: revert mmc_calculate_clock() as HS200/HS400 support breaks legacy support

  • src: update sqlite3-3.20.0 to sqlite3-3.26.0 [4]

  • src: import tzdata 2018h, 2018i [5]

  • src: avoid unsynchronized updates to kn_status [6]

  • ports: ca_root_nss 3.42

  • ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion)

  • ports: sudo patch to fix listpw=never [7]

Migration notes and minor incompatibilities to look out for:

  • Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration. Apinger is no longer available.

  • Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.

  • Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.

  • Please read the FRR documentation with regard to the required system tunables [8] .

  • Bhyve VM boot may fail as a guest. Use the “-w” parameter [9] to boot.

  • Boot may fail due to Meltdown/Spectre mitigation. A workaround [10] exists.

  • SNMP plugin has been superseded by Net-SNMP plugin.

The public key for the 19.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
# ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
# QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
# GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
# pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
# Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
# NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
# 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
# Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
# Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
# C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
# zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-19.1-OpenSSL-dvd-amd64.iso.bz2) = 0a9e02954da1ddd1f0b7673394bbf81cfa74a1d5378600a87d3a9e6a26d3104d
# SHA256 (OPNsense-19.1-OpenSSL-nano-amd64.img.bz2) = 2c4b0056ca26053c8d5e4efe196e512af618bad4fa136ba0e2528083a6263528
# SHA256 (OPNsense-19.1-OpenSSL-serial-amd64.img.bz2) = c71274cea2b910cd4b3454b4ad29f7f70503fcb52ffa5b7f65ea96a27ac9e10d
# SHA256 (OPNsense-19.1-OpenSSL-vga-amd64.img.bz2) = 37164481a413716d8786676d30bb709f8b967e53a47a36d10118214304d14bb9
# SHA256 (OPNsense-19.1-OpenSSL-dvd-i386.iso.bz2) = 17d0aadf671bc2d99b57f0371e4fadfca0e2e9c8d27d6545674a610fc1f59c7a
# SHA256 (OPNsense-19.1-OpenSSL-nano-i386.img.bz2) = 0c4e7616c93f14f5988df84b9b620543cb23a89c1f91505527b6c999d2dc7889
# SHA256 (OPNsense-19.1-OpenSSL-serial-i386.img.bz2) = 93306e5349c7448ad3fdc03d9349ebf98e4d7c677201dcbec111f917c72dca24
# SHA256 (OPNsense-19.1-OpenSSL-vga-i386.img.bz2) = 03d21319a784f93a7940d35168a35d15005e6f4579ac5b1c7a6ff606beb062a6

19.1.r2 (January 23, 2019)

Small online update issued to fix known and subsequently patched issues. If you use Insight and flowd_aggregate service refuses to start go to System: Firmware: Packages and reinstall the “flowd” package.

These are the changes in detail:

  • firmware: fix invisible error in health check

  • intrusion detection: avoid spurious migration error on factor reset

  • monit: fix dashboard widget display and general settings save

  • plugins: os-telegraf fixes checkbox for CPU time collect (contributed by chaispaquichui)

  • ports: flowd Python bindings runtime fix

Stay safe, Your OPNsense team

19.1.r1 (January 21, 2019)

For almost four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Here are the full changes against version 18.7.10:

  • system: console port assignment can now assign OPT without LAN

  • system: anti-lockout will use OPT1 if LAN is not present

  • system: allow creation of combined client/server SSL certificate

  • system: gateway monitoring switches to Dpinger with Apinger removed

  • system: detect unassigned gateways in static address setups

  • system: more advanced gateway monitoring options for Dpinger (contributed by Team Rebellion)

  • system: removal of the old notification system in favour of Monit

  • system: only allow syslog remote binding to assigned interfaces

  • system: disable IP aliases configured with VHID on temporary disable

  • system: remove AHCI MSI disable workaround used in FreeBSD 11.1

  • system: default gateway switching moves back to general settings

  • system: beep sound notification setting moves to misc. settings

  • system: limit log line length in log widget

  • interfaces: change 6RD/6to4 interface prefix from internal name to physical device

  • interfaces: prohibit tracking on 6RD with /64 upstream prefix

  • interfaces: remove unneeded use of potentially clashing fe80::1:1 addresses for IPv6 tracking

  • interfaces: clear an apparently faulty system DUID when no manual DUID is set

  • interfaces: updated custom dhclient-script used for DHCPv4

  • interfaces: VIP support for GRE devices

  • interfaces: simplify find_interface_ip* functions

  • interfaces: remove get_interface_subnet* functions

  • interfaces: remove unused get_possible_listen_ips function

  • interfaces: link status indicator on assignments page

  • interfaces: unify interface removal code

  • firewall: switch GeoIP database download to HTTPS

  • firewall: find IP reference tool for aliases

  • firewall: improve alias page responsiveness with large number of addresses

  • firewall: show system errors when reloading aliases

  • firewall: NAT port forward logging option and live view support

  • firewall: optionally resolve all host names in live view

  • firewall: not all states could be removed in diagnostics page

  • firewall: clean up unused NAT rule association code

  • reporting: improve handling of empty Insight datasets

  • reporting: prepare for Python 3 conversion

  • firmware: switch default mirror location to HTTPS

  • firmware: health check for base and kernel files including version check

  • firmware: support base and kernel file size in packages overview

  • firmware: /var MFS compatibility on base installation when reboot is deferred

  • firmware: command line core lock feature prevents package upgrades

  • firmware: internally remember plugins installed or removed in the GUI

  • firmware: show last known update log on page open

  • firmware: show untrusted repository error in GUI

  • firmware: separate chanelogs tab for clarity

  • dhcp: refuse setup of instances that have no associated IP address

  • dhcp: fix lease time local vs. UTC display in IPv6 leases

  • installer: change communication from TCP to named pipes

  • installer: fix sporadic segmentation faults in frontend code

  • installer: allow config import from ZFS pools

  • installer: allow password reset on ZFS pools

  • installer: removed a number of unused modules

  • ipsec: generate correct config for “Hybrid-RSA + XAuth” (contributed by Max Weller)

  • ipsec: reworked strongswan.conf generation

  • ipsec: use new interface subnet retrieval code

  • monit: support declaring dependencies (contributed by Alexander Werner)

  • monit: add Service/Test type relation (contributed by Frank Brendel)

  • monit: add CARP status to standard services

  • monit: add gateway alerts to standard services

  • monit: backend rework to simplify the service

  • intrusion detection: support base ruleset overlays and improve logging

  • intrusion detection: GeoIP feature in user-defined rules has been removed

  • intrusion detection: obey Content-Disposition header

  • openvpn: client export rewrite, new export option for The Green Bow

  • unbound: reworked slab calculation

  • unbound: added statistics page

  • unbound: only bind to interfaces or OpenVPN instances, always bind to loopback

  • unbound: fix ACL subnet calculation for OpenVPN instances

  • unbound: do not generate host entries for OpenVPN instances

  • unbound: improve help text wording and general settings layout

  • web proxy: parent proxy support (contributed by Michael Muenz)

  • wizard: fix checkbox label styling

  • mvc: converted reboot, halt and license page to MVC

  • mvc: compared-to-field constraint (contributed by Fabian Franz)

  • mvc: external clients which set Authorization header now receive raw JSON responses

  • mvc: fix empty value check in grid (contributed by Smart-Soft)

  • mvc: globally lock config when multiple items are deleted at once

  • mvc: volt template JavaScript cleanups

  • ui: updated bootstrap-select to version 1.13.3

  • ui: collapsible sidebar support in default theme (contributed by Team Rebellion)

  • plugins: os-acme-client 1.19 [2]

  • plugins: os-c-icap 1.7 adds template support (contributed by Michael Muenz)

  • plugins: os-dmidecode 1.0 hardware information widget (contributed by Smart-Soft)

  • plugins: os-dyndns 1.12 changes HE tunnel broker to newer API (contributed by Dusan Dragic)

  • plugins: os-frr switches to FRR 5.0.2, please see below

  • plugins: os-l2tp 1.8 interface now selects reachable server address

  • plugins: os-pptp 1.8 interface now selects reachable server address

  • plugins: os-openconnect 1.3.3 [3]

  • plugins: os-quagga removed, please use os-frr instead

  • plugins: os-nginx 1.6 [4]

  • plugins: os-rspamd 1.4 allows to set manual spam scores and subject (contributed by Michael Muenz and Fabian Franz)

  • plugins: os-snmp removed, please use os-net-snmp instead

  • plugins: os-theme-cicada 1.13

  • plugins: os-theme-tukan 1.12

  • plugins: os-wol 2.1 fixes widget link (contributed by Fabian Franz)

  • src: HardenedBSD 11.2-RELEASE-p7 [5] [6] [7]

  • src: fix missing transmit visibility for BPF-based listeners in native netmap mode

  • src: limit the maximum number of fragments per packet in pf

  • src: replace rwlock on PF_RULES_LOCK with rmlock in pf

  • src: do not discard UDP6 traffic in Hyper-V adaptors

  • src: fix state sync during initial bulk update in pfsync

  • src: unbreak dhclient(8) option 26 processing

  • src: import APU 1-3 LED kernel module

  • ports: krb5 1.17 [8]

  • ports: php 7.1.26 [9]

  • ports: sudo 1.8.27 [10]

  • ports: perl 5.28.1 [11]

  • ports: suricata netmap forward-compatibility patch (contributed by Sunny Valley Networks)

Known issues and limitations:

  • Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration.

  • Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.

  • Monit general settings do not save. A patch exists [12] to remedy this problem: opnsense-patch a2899594

  • Issue with IDS migration code creating a spurious crash report. Patch already done for the final 19.1.

  • Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.

  • Please read the FRR documentation with regard to the required system tunables [13] .

  • SNMP plugin has been superseded by Net-SNMP plugin.

  • ZFS guided installation pending.

The public key for the 19.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
# ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
# QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
# GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
# pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
# Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
# NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
# 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
# Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
# Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
# C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
# zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!

# SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-amd64.iso.bz2) = 7c0c6cf529cb2f8aa9c29b3645b4ec1e218c292f722941ae9880b009c93e6364
# SHA256 (OPNsense-19.1.r1-OpenSSL-nano-amd64.img.bz2) = b355355fc6d10475af2b1c22daa2fd5f5ab78bb375aaf8100a51f087d2447289
# SHA256 (OPNsense-19.1.r1-OpenSSL-serial-amd64.img.bz2) = f4d40b1ece162aac97505f8ad1e16271126df11fb1a317a9f431ff4737fe5da8
# SHA256 (OPNsense-19.1.r1-OpenSSL-vga-amd64.img.bz2) = f8c860a7e3eb9be61d33da92b021a0f337ad50e00a6ffc1cca793277f1890b63
# SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-i386.iso.bz2) = c7b5ced64623416bd56e5337d5212c9af25292a48eb1bb298321e4bb79056c94
# SHA256 (OPNsense-19.1.r1-OpenSSL-nano-i386.img.bz2) = 1313645407d810dd7a5dedf4978deaa7c14f4655dee679de572d7a9e853749c0
# SHA256 (OPNsense-19.1.r1-OpenSSL-serial-i386.img.bz2) = f44203f5bb6e2dbfe5b524b37e9e53baab0665684cbc215bdc3015e11a79c2bd
# SHA256 (OPNsense-19.1.r1-OpenSSL-vga-i386.img.bz2) = a6cfc14b9675563053d6e7733011c381f39e8fb2e10a8a64d60cc7de421ac2db