Hi, On Sat, 2016-01-02 at 14:03 +0100, ue wrote: > Hi all, > and for the first a good new year to you all. > > > > I agree, that it is desirable to use longer keys. However, I am not > > sure if it is a good idea to go all the way for 4096 bit and not > > only > > for e.g. 2048 bit. Why not 8192 even? > > > > I would like to read some justification for the values that are > > picked. > > > > Furthermore, I think that we the upper bound should be something > > that > > the average IPFire box is able to handle. > > > tried that now with OpenVPN whereby i added a flip menu in the > 'Generate Root/Host Certificate' section as it is for the Diffie > -Hellman parameter so the keylengths arenĀ“t hardcoded anymore and can > be configured by the user. Added for the root CA 4096, 8192 and 16348 > tit lengths selection possibilities and for the host CA 2048, 4096, > 8192 and also 16348 bit. The configured keylength for the host CA was > also used for the control channel. Is it even possible to use arbitrary key lengths with OpenVPN? 16k is really really long. > The Root CA generation took 31 minutes for a 16348 bit keylength, the > Host CA 12 minutes for 8192 bit and a 1024 bit DH-parameter needed 2 > minutes which is in summary ~ 45 minutes. The generation time differs > also on every generation. > The creation of a new client PKCS#12 package for 8192 bit needed 3 > minutes. > The key exchange with a Control Channel: TLSv1.2, cipher TLSv1/SSLv3 > DHE-RSA-AES256-GCM-SHA384, 8192 bit RSA needed 10 sec. This sounds increadible fast to me. We had devices on which that took way longer. I have recently seen a talk about using /dev/urandom instead. This is probably worth a watch: https://www.youtube.com/watch?v=Q8JAlZ-HJQI > > All tests was made with a JNC9C --> http://fireinfo.ipfire.org/profil > e/72d11e77621ec66ea75d39e3c9b10025e746e5af and without HWRNG or PRNG > . > > If someone is interested in a ovpnmain.cgi diff and/or more testing > results let it me know. You can post it as a patch on here and add a note that this is for testing only and not (yet?) intended to be merged. > > > Greetings, > > Erik Best, -Michael