From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] correct default hash and DH params settings Date: Wed, 10 Jan 2018 16:52:48 +0000 Message-ID: <1515603168.2392.5.camel@ipfire.org> In-Reply-To: <20180107113450.03a62842.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7614373806799691371==" List-Id: --===============7614373806799691371== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, so I guess this patch does two things: a) Mark some ciphers, etc. as weak b) Changes the default integrity to SHA512 The first part is absolutely fine with me. We have been doing the same for IPsec. The latter one however, I am not so sure about. I consider SHA1 as broken, but that is true for some other things here as well. So I would like to propose to leave this untouched so far and change these when we upgrade to OpenVPN 2.4. Then, we can also change to AES-GCM or something better even. That is still up for debate. Though. But at least we won't change defaults twice. -Michael On Sun, 2018-01-07 at 11:34 +0100, Peter M=C3=BCller wrote: > Default hash algorithm is now SHA512 instead of SHA1, but > the description text has not been updated, yet. >=20 > Further, make sure that 1024 bit DH parameters are always > marked as weak. >=20 > Signed-off-by: Peter M=C3=BCller > --- > html/cgi-bin/ovpnmain.cgi | 9 ++++----- > 1 file changed, 4 insertions(+), 5 deletions(-) >=20 > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index 638e8ef0f..71fd6f06b 100644 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -2002,7 +2002,7 @@ END > > $Lang::tr{'ovpn dh'}: > > > - $Lang::tr{'openvpn default'}: SHA1 (160 $Lang::= tr{'bit'}) > + $Lang::tr{'openvpn default'}: SHA2 (512 $Lang::= tr{'bit'}) > > > =20 > @@ -4567,10 +4567,9 @@ if ($cgiparams{'TYPE'} eq 'net') { > $selected{'DAUTH'}{'SHA384'} =3D ''; > $selected{'DAUTH'}{'SHA256'} =3D ''; > $selected{'DAUTH'}{'SHA1'} =3D ''; > - # If no hash algorythm has been choosen yet, select > - # the old default value (SHA1) for compatiblity reasons. > + # Use SHA512 as default. > if ($cgiparams{'DAUTH'} eq '') { > - $cgiparams{'DAUTH'} =3D 'SHA1'; > + $cgiparams{'DAUTH'} =3D 'SHA512'; > } > $selected{'DAUTH'}{$cgiparams{'DAUTH'}} =3D 'SELECTED'; > =20 --===============7614373806799691371== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxwV1JPQUFDZ2tRZ0hudy8yK1EKQ1Fjc0hSQUFuUXJkSmlxYU1O VVJrdis0amhIbWJNU250WXUvWERCdENySGQwdUMwTU5zYXdKd1RxZmtrdkVmNApRdlJTWi8xWGNF bkpBaGVQQjhKYnJqZHAwU0kvNmVjVFBqdGo0TTdwejNRUDNFY3dkb25DR0tuVGdhMC91dU5yCnFR TUVGaUFsbmNvK1F3YjJnVDdEb3lFaVBHSEk4eTBwa2ZUTGdBUHhGVFF3Vm5SelcxdG45R1ZuaWJk Q0twYUwKUlJQT3VRMEM0ZDBKTFFVYkdHdG8wekJrM0VEVGllNUc0TC85cmI1WlhtVUxmYmZRWFJB cEp5eUVEc3JUMlNtbwpuTTltVnhLdXFsc0JadFFoc05yN3ZyUkk3QzBYNmdLdVVCMGI5V2hZZHQ2 aHpjV0tSSnpTa3lydUFSaXJ5dk8xCkxGZkF6OUdvK3NwQlRSSXFEQ3VwRnNxejArck9hS2RyRG9P UWFubEpKMzgxRHVYSHlzTlA4a3BjUUNDVEE3SnEKY254eHoxMXVLZG85RExwbzIyLzdUNTNOQkk1 dkg0NEx4c2tyaHRsbjFJWmI4MFVMSEloQ2puWFVOTEdaWmhQTApmZ2h0c1hrSDNNWHhPVHkwMFFH ZXhIU1F0cSswL0VId3Bpa3VuQ0d5UGd5eUkxc1ZVVmtEMmxlem01ajNSSUg0CjJ1M01veUVZYzA5 eDVpQURubW1jTEY2bXRyRWdCOU40MnV4czFJM0grTmkyMjNjWHZnZ3oweDk4dzQweWNXWlEKUnVk ZWdiT1p2ZFBUWUdDMXRkWGFpZjFDSXZRM2RjNmNwRzBwT3dNMHA3RFFBME03NUVRaVBtcUN6ZnRN Z0owVwpadXZaM3lzd3JPbUdWWm5laTFhdnA4NFdDQUc4M0lyWGx2RmRlWC9IalJxc0l1bHBIZjQ9 Cj1SSmZOCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============7614373806799691371==--