From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] Mark recommended ciphers/algorithms Date: Mon, 04 Jan 2016 16:36:50 +0000 Message-ID: <1451925410.31655.260.camel@ipfire.org> In-Reply-To: <76593C6C-4FD6-43C9-8FAF-D0808AE40E7B@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1883529200302483583==" List-Id: --===============1883529200302483583== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hi, On Sat, 2016-01-02 at 14:03 +0100, ue wrote: > Hi all, > and for the first a good new year to you all. > > > > I agree, that it is desirable to use longer keys. However, I am not > > sure if it is a good idea to go all the way for 4096 bit and not > > only > > for e.g. 2048 bit. Why not 8192 even? > > > > I would like to read some justification for the values that are > > picked. > > > > Furthermore, I think that we the upper bound should be something > > that > > the average IPFire box is able to handle. > > > tried that now with OpenVPN whereby i added a flip menu in the > 'Generate Root/Host Certificate' section as it is for the Diffie > -Hellman parameter so the keylengths arenĀ“t hardcoded anymore and can > be configured by the user. Added for the root CA 4096, 8192 and 16348 > tit lengths selection possibilities and for the host CA 2048, 4096, > 8192 and also 16348 bit. The configured keylength for the host CA was > also used for the control channel. Is it even possible to use arbitrary key lengths with OpenVPN? 16k is really really long. > The Root CA generation took 31 minutes for a 16348 bit keylength, the > Host CA 12 minutes for 8192 bit and a 1024 bit DH-parameter needed 2 > minutes which is in summary ~ 45 minutes. The generation time differs > also on every generation. > The creation of a new client PKCS#12 package for 8192 bit needed 3 > minutes. > The key exchange with a Control Channel: TLSv1.2, cipher TLSv1/SSLv3 > DHE-RSA-AES256-GCM-SHA384, 8192 bit RSA needed 10 sec. This sounds increadible fast to me. We had devices on which that took way longer. I have recently seen a talk about using /dev/urandom instead. This is probably worth a watch: https://www.youtube.com/watch?v=Q8JAlZ-HJQI > > All tests was made with a JNC9C --> http://fireinfo.ipfire.org/profil > e/72d11e77621ec66ea75d39e3c9b10025e746e5af and without HWRNG or PRNG > . > > If someone is interested in a ovpnmain.cgi diff and/or more testing > results let it me know. You can post it as a patch on here and add a note that this is for testing only and not (yet?) intended to be merged. > > > Greetings, > > Erik Best, -Michael --===============1883529200302483583== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEKCmlRSWNCQUFC Q2dBR0JRSldpcCtpQUFvSkVJQjU4UDl2a0FrSFJsVVAvMTdZR2dwU01VRGdKMVA4YkphRXF1UnUK TzNoUmh2MitTQ3pURFM3bEhnUjZpaWp6dVY5ZjlUbzE4UC9XSjAybDZvUkVlZTJ5OEl6SlNyeksx Smp3UldEYwo1K3ZTem9YTDg3QWFXUjdYZm9TUkdvVW1IakRWdWhRcW5POFZKMmUyZ3plRjkwZFVq Wlg0eHl0akdVeHRqVjBJCnkvZjVOTjFyR2toZXJGaUdlbWh2UzliRU1HT3hFalFtUDVqbWFBdXZy NTk0MFdBd0pwTEtmeXRqNlQvWVFLQngKM0hwd0plWnVVbW02NTJXUThwSExLaTRuRG5NMktocmo2 bDhYOVk4UFVsdm1ibTNyZlBKQUMybC9Xclc4VnZtQwo1RFNaYTluMTBtOGo0SEcra1BIZnpDQXBs dllLQWNULzhjQ3ZvWENyNlhHdzJwdXdhdWlFQWZsNGlPN0tIdURpCnM2S2MyVjZ6SjNESlZIc0Z4 bEpqdElDc053dUp0OXFXY2VDYlB0NHVYakt6cjk5MCtIZUFncW9oZzJYcFNTNXEKRGZ0Q3hRa2FY Rkk1SjEwVjZncHdjMUQwNVhKc3BadnI2akN0WUNaVStuMHk5UzJYM3lEVGhKS1VEbEcwVmExNgpS bGZpWVBmZzZ5WEZETVVOaVNUc09DMHRsbUJyaEFSb2FhSG12VHI3WjVZclBBRTJHeWZvZUhwY1N2 SXJOLzdqClJ4WUtSVUFpdXB1dC9Ncml6VVhQYkNMandOMUNBWUpBZW45RU82VlNtQm5oMGVMc2w0 cUZkN1NqVUJORmN0QVoKemliRXFmYXVaTGU2MTFSaFdLZE4xeUo4SnlsKzkvVlloRm1YQjNwWFBu dy92aHB1U2xXYzZja1RiVE5FelpmYwpRanhNRlFZOHRmQkplcWhIR0s4aQo9R3FhcgotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============1883529200302483583==--