From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] Disallow OpenVPN DH params less than 1024 bits Date: Tue, 01 Dec 2015 22:58:40 +0000 Message-ID: <1449010720.31655.42.camel@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2922058655786392149==" List-Id: --===============2922058655786392149== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hi, I am probably with Erik on this. I agree that 1024 bits are not enough any more. It is better to use longer keys and DH params if possible. However we have the same argument here that we had on the Apache thread. It is pretty much not feasible to generate these keys on many systems. I am also not sure if labeling key sizes of 1024 bit as "insecure" is the best idea. I would prefer something like "recommended" for all higher key sizes. This is however in conflict with the argument above. Best, -Michael On Tue, 2015-11-24 at 15:14 +0100, ue wrote: > Hi Timmothy Wilson, > we left the 1024 bit choice at this time in cause it provides a > shortened time for the whole X509 generation. On slow boards or > systems with less entropy the DH generation can take also with 2048 > bit DH-parameter a long time (measured at this time up to 10 minutes > with 2048 bits) . We´ve made at development time a short list which > you can find here --> http://wiki.ipfire.org/en/configuration/servic > es/openvpn/extensions/zertkonvert where you can find also the needed > time for DH-parameter generation. May 10 Minutes for an e.g. ALIX > board is a lot and may too much ? Nevertheless you can upload > external generated DH-parameter over the WUI --> http://wiki.ipfire.o > rg/en/configuration/services/openvpn/config/upload_gen so a > prepackaged DH-parameter can also be uploaded but the generation time > can be left short too. > > Another thing is, could you may provide more informations about the > insecurity of 2048 bit DH-parameters ? On OpenVPN hardening side they > called it "Use of 2048-bit is a good minimum." --> > https://community.openvpn.net/openvpn/wiki/Hardening . Shurley a > longer parameter increases security but needs also lots of more time > to generate and with the usage of the upload function may a better > way by only hint the 1024 parameter as insecure so both is possible ? > > May an "insecure" hint in the flip menu is enough ? A possible > "insecure" hint could also be placed for the "Hash algorithm" in > "Cryptographic options" for SHA1 --> > https://www.schneier.com/blog/archives/2005/02/sha1_broken.html <-- > from 2005 :-( . > > Some suggestions from here. > > Greetings, > > Erik > > > Am 23.11.2015 um 15:18 schrieb IT Superhack: > > > The OpenVPN CGI offers to create a DH param. The patch below > > disables > > the generation of 1024 bit params and marks 2048 bit params as > > weak/insecure. > > > > It is recommended to use DH params with at least 3072 bits, shorter > > ones > > are considered as insecure. The patch does not affect systems where > > already DH params were created. > > > > Sorry for the crappy line breaks by my mail agent, but it cannot > > switch > > this off and git send-email does not work on my system (starttls > > issues). > > > > Signed-off-by: Timmothy Wilson > > --- > > html/cgi-bin/ovpnmain.cgi | 3 +-- > > langs/de/cgi-bin/de.pl | 1 + > > 2 files changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > > index 62af54e..4813128 100644 > > --- a/html/cgi-bin/ovpnmain.cgi > > +++ b/html/cgi-bin/ovpnmain.cgi > > @@ -1313,8 +1313,7 @@ END > >
> name='AREUSURE' value='yes' /> > > > value='$cgiparams{'KEY'}' /> > > > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > > index 2bca854..bfed92b 100644 > > --- a/langs/de/cgi-bin/de.pl > > +++ b/langs/de/cgi-bin/de.pl > > @@ -1291,6 +1291,7 @@ > > 'incorrect password' => 'Fehlerhaftes Passwort', > > 'info' => 'Info', > > 'init string' => 'Initialisierung:', > > +'insecure' => 'unsicher', > > 'insert floppy' => 'Legen Sie eine formatierte Diskette in das > > Floppy-Laufwerk in IPFire und klicken auf Datensicherung auf > > Diskette, um die Systemeinstellungen zu sichern. Überprüfen > > Sie das > > Ergebnis sorgfältig, um sicher zu sein, dass die Datensicherung > > vollständig und erfolgreich abgeschlossen wurde.', > > 'install' => 'Installieren', > > 'install new update' => 'Installiere neues Update:', --===============2922058655786392149== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEKCmlRSWNCQUFC Q2dBR0JRSldYaVlnQUFvSkVJQjU4UDl2a0FrSHhWd1AvaUVwa3V1czZ5MWZYSUZWUUswN0NyMU4K dlY1bnVYNFA2U0pCRXhjQWtNSFU0NHVGaU4wby8wNHhpYkxNUFErYUFndnFERDRlTjhldHMvZTVr N3AvaUo5TAorOThIQk5rbHFhSGtxbzJsMWlQZUhBNWwyMXQwdlpUMHlwS3JtQWJRUDBLQzh3WkdZ UjdyS1VNU3BjZm1DTldZCkw5Z1JJUEhVUElHZzBXNXJ1M2wyUTFWdTZFaDhIVVhGbTdXZktWQ215 RnRGQ0d1YVQ2ZVBTbTN2dkk1VmQ4Z2sKaXplQVZtdzBQRmNrWTRnOFhhdDRNZ0pwN2IxTWpacWVm dGhWTGVhQTJhU3NwSjZVWSt1MGtvM1dVdW5kRFduYQpaay96MnV5R0VOWHVRektCUFU4R1dzSlFy RnMzaWo5bDAxL05VblZJbTFMc3pIZWRMSEgwdTBMREhaQ3dPUXN6CnlJWndmcWUyQTV2czF6Qjc3 endud3FRaWZGMVI3SXo4MlovTGlMcHpUcUR4UmVvdDhJMWk5eGNnMEJDa1luTGkKOUJIaUdlclRL d0JqcE5mYnRObjc4UTk3Zmd4R1VlNUxmY1g4ZXR1Q1BtcU10c3ZxeExTVEVmVlhQQ0VpVFloeQpR RTZqK3hmQ1lEQmxUL3JqL3laWk1FejFyQ25qK1F1UFVsMDF5TGxmUkRSUmlFYXhLM0tYc1dMcFdv SnBoTXBzCkxYRDlXVllDdWNSZlkyT056Zk4vTjJGbEJ5ampsbExydDZnMlNPNmJmVTBZQUtzKzI2 N1dpTGRnQWx2K3ZkTjQKTFdhOGpMdkNXUlJtQzg1YndiSmQ3QXRBSGpReXZ6ZlNoOGRieHVRYmNv NnB4ZWw4aUVHNnk0bTZhdW4vbGIrbQpENEJNcjBtSjI1ODlRaHQ1djJ3eQo9bHExUAotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============2922058655786392149==--