From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] correct default hash and DH params settings Date: Sat, 20 Jan 2018 15:57:53 +0100 Message-ID: <20180120155753.6bdd6ca6.peter.mueller@link38.eu> In-Reply-To: <1515603168.2392.5.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4709771171010713967==" List-Id: --===============4709771171010713967== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, sorry for the late reply. > Hi, >=20 > so I guess this patch does two things: Yes, I know. Better send in two patches... >=20 > a) Mark some ciphers, etc. as weak Yes. >=20 > b) Changes the default integrity to SHA512 The default hash setting _is_ SHA512 already, but the description beside it still says it would be SHA1, so I corrected that. But you are right, the other SHA1 part down below changes used hash algorithm. >=20 > The first part is absolutely fine with me. We have been doing the same > for IPsec. >=20 > The latter one however, I am not so sure about. I consider SHA1 as > broken, but that is true for some other things here as well. So I would > like to propose to leave this untouched so far and change these when we > upgrade to OpenVPN 2.4. I did not noticed 2.4 to be in development. >=20 > Then, we can also change to AES-GCM or something better even. That is > still up for debate. Though. But at least we won't change defaults > twice. All right, if you agree, I just send in a small patch correcting the "default" string in the WebUI so we stay consistent here. Best regards, Peter M=C3=BCller >=20 > -Michael >=20 > On Sun, 2018-01-07 at 11:34 +0100, Peter M=C3=BCller wrote: > > Default hash algorithm is now SHA512 instead of SHA1, but > > the description text has not been updated, yet. > >=20 > > Further, make sure that 1024 bit DH parameters are always > > marked as weak. > >=20 > > Signed-off-by: Peter M=C3=BCller > > --- > > html/cgi-bin/ovpnmain.cgi | 9 ++++----- > > 1 file changed, 4 insertions(+), 5 deletions(-) > >=20 > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > > index 638e8ef0f..71fd6f06b 100644 > > --- a/html/cgi-bin/ovpnmain.cgi > > +++ b/html/cgi-bin/ovpnmain.cgi > > @@ -2002,7 +2002,7 @@ END > > > > $Lang::tr{'ovpn dh'}: > > > > > > - $Lang::tr{'openvpn default'}: SHA1 (160 $Lang= ::tr{'bit'}) > > + $Lang::tr{'openvpn default'}: SHA2 (512 $Lang= ::tr{'bit'}) > > > > > > =20 > > @@ -4567,10 +4567,9 @@ if ($cgiparams{'TYPE'} eq 'net') { > > $selected{'DAUTH'}{'SHA384'} =3D ''; > > $selected{'DAUTH'}{'SHA256'} =3D ''; > > $selected{'DAUTH'}{'SHA1'} =3D ''; > > - # If no hash algorythm has been choosen yet, select > > - # the old default value (SHA1) for compatiblity reasons. > > + # Use SHA512 as default. > > if ($cgiparams{'DAUTH'} eq '') { > > - $cgiparams{'DAUTH'} =3D 'SHA1'; > > + $cgiparams{'DAUTH'} =3D 'SHA512'; > > } > > $selected{'DAUTH'}{$cgiparams{'DAUTH'}} =3D 'SELECTED'; > > =20 --===============4709771171010713967==--