Netgate will replace OpenSSL 1.1.1t with OpenSSL 3.0.12 in the pending release of pfSense Plus software, version 23.09. This is an essential move as the OpenSSL Project confirmed on September 11, 2023, that version 1.1.1t had reached its End of Life (EOL), and it will no longer receive security patches for vulnerabilities. FreeBSD has also moved to OpenSSL 3. An update to pfSense CE software will follow after the release of pfSense Plus version 23.09.
OpenSSL is a robust, commercial-grade, full-featured toolkit for general-purpose cryptography and secure communication. The OpenSSL toolkit is an essential component of Netgateās pfSense Plus software, and of the FreeBSD operating system upon which it is built.
The OpenSSL Project made an unusual jump in numbering from version 1.1.1t to version 3.0.12 to highlight its significance. A major change in version 3.0.12 is implementation of the FIPS Object Module 2.0 in order to gain FIPS 140-3 compliance (FIPS is a U.S. Federal program for the testing and certification of cryptographic modules).
This new version includes major structural changes and modifies some application programming interface (API) and application binary interface (ABI) components. It also deprecates weak algorithms of various types.
Changing from OpenSSL 1.1 to OpenSSL 3 is not a simple upgrade. Netgate developers have incorporated these changes with as little impact on users as possible, but some things may still require manual adjustments, as outlined below.
OpenSSL 3 removes a large number of deprecated encryption and digest algorithms. This primarily affects OpenVPN.
Encryption algorithms removed from OpenVPN include: ARIA, Blowfish (e.g. BF-CBC, which was formerly an OpenVPN default), CAST5, DES, DESX, IDEA, RC2, RC5, SEED, and SM4. Hash algorithms removed from OpenVPN include MD4, MDC2, SM3, and Whirlpool.
Upon upgrade, tunnels using these deprecated algorithms will be adjusted so they use more secure default values when necessary.
OpenSSL 3 no longer supports certificates signed with SHA1 or other older/weaker hashes. The minimum recommended hash strength is SHA256. The pfSense Plus upgrade process detects usage of weak certificates for the GUI, Captive Portal, and OpenVPN, and takes actions where possible:
The best practice is to reconfigure all services using certificates with stronger algorithms, and to test these functions before performing an upgrade to ensure a smooth transition.
This migration to OpenSSL 3 is essential, and the work done by Netgate in the upcoming version 23.09 to support it is complex. The changes have been incorporated with as little impact on users as possible, but some services may require reconfiguration using certificates with stronger algorithms.
Netgate HIGHLY recommends reviewing the release notes prior to installing this upgrade.
The pfSense Plus Release Notes for version 23.09 are available at: https://docs.netgate.com/pfsense/en/latest/releases/23-09.html
The OpenSSL Migration Guide, which details the changes in moving from OpenSSL 1.1.1 to OpenSSL 3, is available at: https://www.openssl.org/docs/man3.0/man7/migration_guide.html
The announcement about OpenSSL 1.1.1 is here: https://www.openssl.org/blog/blog/2023/09/11/eol-111/