core196: Don't break IPsec tunnels that use MLKEM

author Michael Tremer <michael.tremer@ipfire.org>

Wed, 28 May 2025 14:11:07 +0000 (14:11 +0000)

committer Michael Tremer <michael.tremer@ipfire.org>

Wed, 28 May 2025 14:13:10 +0000 (14:13 +0000)
author Michael Tremer <michael.tremer@ipfire.org>
Wed, 28 May 2025 14:11:07 +0000 (14:11 +0000)
committer Michael Tremer <michael.tremer@ipfire.org>
Wed, 28 May 2025 14:13:10 +0000 (14:13 +0000)
diff --git a/config/rootfiles/core/196/update.sh b/config/rootfiles/core/196/update.sh

index b8f92322fac37891ab168c6a745710e99d25ea35..bd9e80f4254efea48154e61cd7f47b65adc5dd7a 100644 (file)
--- a/config/rootfiles/core/196/update.sh
+++ b/config/rootfiles/core/196/update.sh
@@ -68,10 +68,12 @@ esac
  
  # Change IPsec configuration of existing connections using ML-KEM
  # to always make use of hybrid key exchange in conjunction with Curve 25519.
-sed -i -e "s@mlkem@x25519-ke1_mlkem@g" /var/ipfire/vpn/config
+if ! grep -q "x25519-ke1_mlkem" /var/ipfire/vpn/config; then
+       sed -i -e "s@mlkem@x25519-ke1_mlkem@g" /var/ipfire/vpn/config
+fi
  
  # Apply changes to ipsec.conf
-/srv/web/ipfire/cgi-bin/vpnmain.cgi
+sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi
  
  # Start services
  if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
author	Michael Tremer <michael.tremer@ipfire.org>
	Wed, 28 May 2025 14:11:07 +0000 (14:11 +0000)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Wed, 28 May 2025 14:13:10 +0000 (14:13 +0000)