Hi all,After a longer pause we are back with considerable upgrades for IPsec, a new CSR feature for local CAs, PHP 7.2 migration and a number of other considerable third party updates.These are the full patch notes:o system: improve gateway status return when monitoring is offo system: warn user about future deprecation of "user-config-readonly" privilegeo system: support certificate signing requests (contributed by nhirokinet)o system: syslog does not need to do a background startup since it backgrounds itselfo system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz)o system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri)o interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys)o interfaces: take all unknown arguments as real interfaces in interfaces_addresses()o interfaces: optionally allow interfaces_addresses() to emit subnets instead of addresseso interfaces: move mpd.script to new location (may require interface reconfigure)o firewall: proper locking of aliases before config action on deleteo firewall: correctly set outbound NAT destination as networko firewall: add support for DSCP in shaper (contributed by Michael Muenz)o firewall: add support for IDN in aliases (contributed by Smart-Soft)o captive portal: allow access to this host (contributed by Fredrik Ronnvall)o firmware: fix parsing of packages in multi-repo env and revoked fingerprint messageo firmware: add University of Kent to the firmware mirrorso ipsec: only use explicit reqid when using route-based interfaceso ipsec: correctly set install policy option on newly created phase 1 entrieso ipsec: improve split DNS and INTERNAL_DNS_DOMAIN configurationo ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin)o ipsec: properly quote UNITY_BANNER for multi-line supporto ipsec: support for dynamic remote gatewayso monit: add migration/validation for service/test type dependency (contributed by Frank Brendel)o monit: added missing "not on" labelo openvpn: support static-challenge formatted passwordo openvpn: properly load custom config field in exportero openvpn: cleanups in listening address handlingo web proxy: IP address not available when address set to noneo web proxy: add sortable support for PAC proxy lists (contributed by Fabian Franz)o web proxy: add dash to allowed characters in description (contributed by Fabian Franz)o backend: python 2->3 iteritems() conversion in core templateso mvc: migrate config backup rotation to handle static and MVC pages (contributed by Smart-Soft)o mvc: controller cleanups in cron, intrusion detection, routeso mvc: obey "user-config-readonly" privilege in mutable controllerso mvc: support overlays in setBase() / addBase()o ui: remove jquery-bootgrid converters which are now included in the libraryo plugins: os-acmle-client 1.23[1][2][3]o plugins: os-dyndns 1.14 supports wildcards for Google Domainso plugins: os-etpro-telemetry 1.3 uses HOME_NET to anonymizationo plugins: os-freeradius 19.1.0[4]o plugins: os-frr 1.9[5]o plugins: os-nginx 1.10[6]o plugins: os-postfix 1.9[7]o plugins: os-rspamd 1.5[8]o plugins: os-telegraf 1.7.5[9]o plugins: os-theme-cicada 1.15 (contributed by Team Rebellion)o plugins: os-theme-tukan 1.14 (contributed by Team Rebellion)o plugins: os-zabbix-agent 1.5[10]o ports: ca_root_nss 3.43o ports: curl 7.64.1o ports: libucl 0.8.1o ports: pcre 8.43o ports: php 7.2.16o ports: py-cryptography 2.6.1o ports: phpseclib 2.0.15o ports: python 2.7.16o ports: unbound 1.9.1Stay safe,Your OPNsense team--[1] https://github.com/opnsense/plugins/pull/1166 [2] https://github.com/opnsense/plugins/pull/1212 [3] https://github.com/opnsense/plugins/pull/1263 [4] https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr [5] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr [6] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr [7] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr [8] https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr [9] https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr [10] https://github.com/opnsense/plugins/pull/1262