LATEST RELEASE: Update-12
20-June-2015
Merlin fork 374.43_2-12j9527
Download
http://1drv.ms/1uChm3J
============================
For those of you not yet ready to update to the latest 376 or 378 releases, I have created an incremental update (fixpack) to 374.43_2. This fork is based on an older code release with a history of being very stable, and any changes are carefully weighed to preserve that stability.
Update-12 HighLights:
- Merlin Backports
- Update OpenSSL to 1.0.2c
This makes the move from the OpenSSL 1.0.0 stream to the latest 1.0.2 stream for this fork. This adds new ciphers and helps gets us ahead of the year-end EOL for OpenSSL 1.0.0.
- Automatically update VPN Server to use a pre-generated 2048bit DH key if a key of less than 1024bits is found (previous default was 512bits).
- IMPORTANT: Many OpenVPN clients are now being updated to require DH primes of at least 768 bits due to what has been dubbed the 'Logjam Attack' vulnerability. In addition, versions of OpenSSL starting with 1.0.2b will reject handshakes of less than 768 bits. Direction has been announced to require a 1024bit key in the future. This means:
- If you are running the OpenVPN client on the router, you may need to request the owner of the VPN server to regenerate the DH key. It is expected that virtually all commercial VPN providers will already have DH keys that meet or exceed the 768bit requirement.
- If you are running the OpenVPN server on the router, a pre-generated 2048bit DH key from RFC 3526 will be used during first time setup of the VPN Server, or your existing key will be updated to the pre-generated key the first time the Server is started after the firmware update.
- You can still generate your own DH keys, as long as it is 1024bits or stronger using tools such as easy-rsa or the built in OpenSSL available via telnet/ssh on the router. Be aware that key generation on the router can take some time. For example, on an overclocked AC68U, it can take up to 5-10min for a 1024bit key, and 35-45min for a 2048bit key.
- OpenVPN updated to 2.3.7
This will automatically take advantage of the upgraded TLS support in OpenSSL 1.0.2 if it is available on both the server and client.
- dnsmasq updated to version 2.73rc1.patch
- miniupnpd updated to version 1.9.20150430
- pppd updated to version 2.4.7
- rp_pppoe synced with 378 codebase
- Updated Entware install scripts
- Merlin's latest revisions for OpenVPN policy based routing (up through master commit 22d91b1)
- Fix for OpenVPN not restoring DNS servers with some provider configs
- Wait for NTP sync before starting VPN servers/clients
- New Fork Updates
- Removed the gui option to 'Allow local subnet forwarding' and made this the default
- Fixed all the System Log pages so the scroll bars will only be visible under IE if they are needed
- Updated formatting of the Routing Table status under System Log
- Updated formatting of the IPv6 status under System Log if temporary addresses are in use
- Fixed the wireless client count on the Sysinfo page to include guest clients
- Client RSSI on the Wireless log page is now '??' if the information is not available or invalid (limitation of the older MIPS wireless drivers)
- General performance improvement for ARM routers
- Upstream maintenance for radvd
- radvd will now quickly release IPv6 addresses when shutdown
- New gui media server option to disable the media scan that occurs on every boot (will only update on change to media files)
- Media Server now recognizes addition images as folder artwork, the full list is now:
Folder.jpg/folder.jpg/Cover.jpg/cover.jpg/AlbumArtSmall.jpg/albumartsmall.jpg/AlbumArt.jpg/albumart.jpg/Album.jpg/album.jpg/Thumb.jpg/thumb.jpg
- Disable the exclaimation point alert if allowing guest access for Samba or FTP
Some notes on this fork release....
The fork does include
- Maintenance for documented security issues
- Maintenance for supporting open source components (such as dnsmasq, miniupnpd, etc)
- Backports of applicable fixes and new functions from Merlin's main branch
- Some unique support for options requested by users
- Older versions of the wireless drivers that some feel offer better performance (especially on the MIPS based routers)
- A different IPv6 stack which may work better in some environments
- Less of a lockdown on tweaking power levels
The fork does not include
- The new TrendMicro DPI engine functions for ARM routers
- The enhancements to the networkmap for custom icons, client naming, etc.
- Some of the enhanced gui formatting of later releases, for instance the new wireless log
- All the changes/tweaks that ASUS may have made since the original code was released (and any newly introduced bugs )
The following routers are supported by this fork:
- N16, N66U, AC66U, AC56U, AC68U, AC68P (and the retail and color versions, R and W)
The following routers were released after the base code used for this fork was available, and are NOT supported.
- AC87U, AC3200 (and the retail R versions)
The custom features of the fork which are not exposed in the gui can be set by an nvram variable. All the custom features are documented in the
Merlin_Fork_Options file in the download directory.
A factory default reset is NOT required if coming from any level of the fork or Merlin 374.42 or 374.43 code. Coming from any other level does require a factory default reset after the code is loaded.
Thanks to
@Chrysalis for getting the discussion started on the OpenSSL upgrade start and for his continued testing and feedback. Additional thanks to
@Kal-EL and
@GHammer for testing on early pre-release code.
Source:
https://github.com/john9527/asuswrt-merlin : branch 374.43_2-update
SHA256 hashes:
Code:
4f196122b0e1c137a8d59e99e027a276714262c110740e0b2c13ac5580736cb3 *RT-AC56U_3.0.0.4_374.43_2-12j9527.trx
3f32b49bf0c51b736ccb70fc2e480366f5191b430d0898e9805197d632b7b55f *RT-AC66U_3.0.0.4_374.43_2-12j9527.trx
44725cff8d69ba434687f4fcfba7e5f03e911f9d1eacdf9373fac89bb8718db8 *RT-AC68U_3.0.0.4_374.43_2-12j9527.trx
aafc116642f598defba96904634ba95e011dc0deef78fb7ce7d8c2b33529f8bf *RT-N16_3.0.0.4_374.43_2-12j9527.trx
b29e478e43558c3ed63d0836abe00e297875d8afe0b6bf547931833bac1282e7 *RT-N66U_3.0.0.4_374.43_2-12j9527.trx