From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Mark recommended ciphers/algorithms
Date: Mon, 04 Jan 2016 16:36:50 +0000 [thread overview]
Message-ID: <1451925410.31655.260.camel@ipfire.org> (raw)
In-Reply-To: <76593C6C-4FD6-43C9-8FAF-D0808AE40E7B@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2163 bytes --]
Hi,
On Sat, 2016-01-02 at 14:03 +0100, ue wrote:
> Hi all,
> and for the first a good new year to you all.
> >
> > I agree, that it is desirable to use longer keys. However, I am not
> > sure if it is a good idea to go all the way for 4096 bit and not
> > only
> > for e.g. 2048 bit. Why not 8192 even?
> >
> > I would like to read some justification for the values that are
> > picked.
> >
> > Furthermore, I think that we the upper bound should be something
> > that
> > the average IPFire box is able to handle.
>
>
> tried that now with OpenVPN whereby i added a flip menu in the
> 'Generate Root/Host Certificate' section as it is for the Diffie
> -Hellman parameter so the keylengths aren´t hardcoded anymore and can
> be configured by the user. Added for the root CA 4096, 8192 and 16348
> tit lengths selection possibilities and for the host CA 2048, 4096,
> 8192 and also 16348 bit. The configured keylength for the host CA was
> also used for the control channel.
Is it even possible to use arbitrary key lengths with OpenVPN?
16k is really really long.
> The Root CA generation took 31 minutes for a 16348 bit keylength, the
> Host CA 12 minutes for 8192 bit and a 1024 bit DH-parameter needed 2
> minutes which is in summary ~ 45 minutes. The generation time differs
> also on every generation.
> The creation of a new client PKCS#12 package for 8192 bit needed 3
> minutes.
> The key exchange with a Control Channel: TLSv1.2, cipher TLSv1/SSLv3
> DHE-RSA-AES256-GCM-SHA384, 8192 bit RSA needed 10 sec.
This sounds increadible fast to me. We had devices on which that took
way longer.
I have recently seen a talk about using /dev/urandom instead. This is
probably worth a watch: https://www.youtube.com/watch?v=Q8JAlZ-HJQI
>
> All tests was made with a JNC9C --> http://fireinfo.ipfire.org/profil
> e/72d11e77621ec66ea75d39e3c9b10025e746e5af and without HWRNG or PRNG
> .
>
> If someone is interested in a ovpnmain.cgi diff and/or more testing
> results let it me know.
You can post it as a patch on here and add a note that this is for
testing only and not (yet?) intended to be merged.
>
>
> Greetings,
>
> Erik
Best,
-Michael
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
prev parent reply other threads:[~2016-01-04 16:36 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-23 14:18 [PATCH] Disallow OpenVPN DH params less than 1024 bits IT Superhack
2015-11-24 14:14 ` ue
2015-12-01 22:58 ` Michael Tremer
2015-12-02 9:07 ` IT Superhack
2015-12-02 10:47 ` Michael Tremer
2015-12-02 18:19 ` IT Superhack
2015-12-07 16:35 ` [PATCH] Mark recommended ciphers/algorithms IT Superhack
2015-12-10 17:16 ` Michael Tremer
2015-12-13 15:10 ` IT Superhack
2015-12-13 17:47 ` Larsen
2015-12-15 14:13 ` Michael Tremer
2015-12-15 15:03 ` Larsen
2015-12-15 21:18 ` Michael Tremer
2015-12-16 8:06 ` Larsen
2015-12-18 16:12 ` IT Superhack
2016-01-01 16:54 ` IT Superhack
2016-01-04 16:31 ` Michael Tremer
2016-01-10 16:29 ` IT Superhack
2016-01-10 22:22 ` Michael Tremer
2016-01-02 13:03 ` ue
2016-01-04 16:36 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1451925410.31655.260.camel@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox