Re: [PATCH] OpenVPN: Fix for '--ns-cert-type server is deprecated' .

[ummeegge <ummeegge@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1643 bytes --]

Hi Michael,

> I generally like the idea. However, I am not sure if anyone will know how to use
> this.
this was also one of my concerns, you are probably right that this settings might not be clear for every one.

> Do all OSes support 12k RSA keys?
Have tested it so far on Linux and MAC (also older ones up to 10.7) systems but also in some N2N connections with older boards (JNC9C) where it was no problem. The generation time for the PKI but also for every new generated client grows by the usage of more bits but also the key exchange needs a little longer.

> Or should we rather not make this
> decision for our users and pick the best that works for everyone?
We did that some time ago where we double the bits from 1024 to 2048 (HOST) and 2048 to 4096 (ROOT). The OpenVPN hardening page suggests for a "future system near term use" specified to 10 years, 3072 bit or more --> https://community.openvpn.net/openvpn/wiki/Hardening#X.509keysize . The reference material is from a ENISA report from 2013 which is now also some time ago.

Another interesting topic might be ECC. Since OpenVPN-2.4.x elliptic curve crypto has been introduced whereby the comparison between RSA and ECC seems to be interesting in terms of the different Algorithm-key sizes. Haven´t found the original NSA paper but in here --> http://www.atmel.com/Images/Atmel-8951-CryptoAuth-RSA-ECC-Comparison-Embedded-Systems-WhitePaper.pdf under table one a security comparison can be found.

To get the whole ECC PKI into ovpnmain.cgi might be not so fast done but i think in a not so far future it might be also a standard.

Greetings,

Erik