Re: [PATCH] correct default hash and DH params settings

["Peter Müller" <peter.mueller@link38.eu>]

[-- Attachment #1: Type: text/plain, Size: 3449 bytes --]

Hello,

sorry for the late reply.

> Hi,
> 
> so I guess this patch does two things:
Yes, I know. Better send in two patches...
> 
> a) Mark some ciphers, etc. as weak
Yes.
> 
> b) Changes the default integrity to SHA512
The default hash setting _is_ SHA512 already, but the description beside
it still says it would be SHA1, so I corrected that.

But you are right, the other SHA1 part down below changes used hash
algorithm.
> 
> The first part is absolutely fine with me. We have been doing the same
> for IPsec.
> 
> The latter one however, I am not so sure about. I consider SHA1 as
> broken, but that is true for some other things here as well. So I would
> like to propose to leave this untouched so far and change these when we
> upgrade to OpenVPN 2.4.
I did not noticed 2.4 to be in development.
> 
> Then, we can also change to AES-GCM or something better even. That is
> still up for debate. Though. But at least we won't change defaults
> twice.
All right, if you agree, I just send in a small patch correcting the
"default" string in the WebUI so we stay consistent here.

Best regards,
Peter Müller
> 
> -Michael
> 
> On Sun, 2018-01-07 at 11:34 +0100, Peter Müller wrote:
> > Default hash algorithm is now SHA512 instead of SHA1, but
> > the description text has not been updated, yet.
> > 
> > Further, make sure that 1024 bit DH parameters are always
> > marked as weak.
> > 
> > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> > ---
> >  html/cgi-bin/ovpnmain.cgi | 9 ++++-----
> >  1 file changed, 4 insertions(+), 5 deletions(-)
> > 
> > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> > index 638e8ef0f..71fd6f06b 100644
> > --- a/html/cgi-bin/ovpnmain.cgi
> > +++ b/html/cgi-bin/ovpnmain.cgi
> > @@ -2002,7 +2002,7 @@ END
> >  	    </select></td>
> >  	<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
> >  		<td class='base'><select name='DHLENGHT'>
> > -				<option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
> > +				<option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'})</option>
> >  				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
> >  				<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
> >  				<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
> > @@ -2847,7 +2847,7 @@ print <<END;
> >  				<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
> >  			</select>
> >  		</td>
> > -		<td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
> > +		<td>$Lang::tr{'openvpn default'}: <span class="base">SHA2 (512 $Lang::tr{'bit'})</span></td>
> >      </tr>
> >  </table>
> >  
> > @@ -4567,10 +4567,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
> >      $selected{'DAUTH'}{'SHA384'} = '';
> >      $selected{'DAUTH'}{'SHA256'} = '';
> >      $selected{'DAUTH'}{'SHA1'} = '';
> > -    # If no hash algorythm has been choosen yet, select
> > -    # the old default value (SHA1) for compatiblity reasons.
> > +    # Use SHA512 as default.
> >      if ($cgiparams{'DAUTH'} eq '') {
> > -	$cgiparams{'DAUTH'} = 'SHA1';
> > +	$cgiparams{'DAUTH'} = 'SHA512';
> >      }
> >      $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
> >