From mboxrd@z Thu Jan  1 00:00:00 1970
From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenVPN: Fix for '--ns-cert-type server is deprecated' .
Date: Fri, 13 Oct 2017 16:41:53 +0200
Message-ID: <2545D503-4A23-4A6D-9996-6C3704B65228@ipfire.org>
In-Reply-To: <1507719492.4045.68.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6626488386972327991=="
List-Id: <development.lists.ipfire.org>

--===============6626488386972327991==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Michael,
thank you too for merging.=20
Have think about to introduce with this patch also a choice (flip menus) for =
ROOT and HOST CA key lengths if a new PKI is generated. To use the new --remo=
te-cert-tls there is anyways the need to generate a new PKI so it might be po=
ssibly nice to have then also a possibility to select keylengths of IPFires c=
ertificates ?=20
A possible solution can looks like this --> https://forum.ipfire.org/viewtopi=
c.php?f=3D50&t=3D18852&start=3D15#p108795 so the ROOT CA are provided with 40=
96, 6144, 8192, 12288 and the HOST CA with 2048, 4096, 6144, 8192, 12288 bits=
 .=20
Did some testings with that whereby 12288 are the maximum made also tests wit=
h 16384 but this was too much for generating but also for usage.

As an extended idea.

Greetings,

Erik

> Thank you very much. Merged.
>=20
> On Fri, 2017-10-06 at 15:19 +0200, ummeegge wrote:
>> Hi all,
>> reference and testings can be found in here --> https://forum.ipfire.org/v=
iewt
>> opic.php?f=3D50&t=3D18852 .
>>=20
>> Greetings,
>>=20
>> Erik


--===============6626488386972327991==--