From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [PATCH] OpenVPN: Delete 1024 bit DH-parameter from menu Date: Tue, 19 Jun 2018 20:39:13 +0200 Message-ID: <1529433553.13577.15.camel@ipfire.org> In-Reply-To: <8bb086ce31c86c409ffa6495a0f9218ff9d92d7f.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5160485038381436572==" List-Id: --===============5160485038381436572== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hi Michael, Am Dienstag, den 19.06.2018, 14:03 +0100 schrieb Michael Tremer: > We need to *warn* people about these changes in advance. This would be best suited but i didn´t realize that OpenVPN-2.4x do not accept 1024 bit anymore. All testers seems to oversee this too and the OpenVPN change log didn´t pointed it out clearly... > And we need to > have a visual indicator that some action is required here to replace > the DH params then. Started to make a $problemmessage section where we can put also some other potential or real problems like e.g. check for 'no MD5 for signature anymore', 'Soon needed RFC3280 compliance for the certificates' . There is surely more... Good idea ? > > We cannot break things and expect people to find something in the log > files. Should be like above written displayed then above the main settings section like $errormessage. > > Can we do that and automatically generate a 2k DH params for them? > Would the clients notice that this has changed? Except a little longer time for the handshake the clients won´t realize this since the DH-parameter takes only place on server side. Should we do an automatic DH generation of 2k via update.sh with the next update ? Best, Erik > > Best, > -Michael > > On Tue, 2018-06-19 at 13:58 +0200, ummeegge wrote: > > > > Hi Michael, > > the connections won´t start for this systems and the logs should > > display an appropriate error, in that case they will need to > > recreate > > it which is possible over the WUI. > > After the update to Core 120 only a few people wrote about that > > problem > >  possibly because mostly people do use already 2048 bit. > > > > Erik > > > > Am Dienstag, den 19.06.2018, 11:31 +0100 schrieb Michael Tremer: > > > > > > Hello, > > > > > > this patch is fine, but what do we do with systems that already > > > have > > > a key > > > generated with that size? > > > > > > -Michael > > > > > > On Mon, 2018-06-18 at 19:16 +0200, Erik Kapfer wrote: > > --===============5160485038381436572==--