From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [PATCH] OpenVPN: Fix for '--ns-cert-type server is deprecated' . Date: Tue, 17 Oct 2017 17:52:54 +0200 Message-ID: <662EFB16-5059-45D4-8C77-404702B06ECC@ipfire.org> In-Reply-To: <1508182831.19915.38.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9093526009141116273==" List-Id: --===============9093526009141116273== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, > I generally like the idea. However, I am not sure if anyone will know how t= o use > this. this was also one of my concerns, you are probably right that this settings m= ight not be clear for every one. > Do all OSes support 12k RSA keys? Have tested it so far on Linux and MAC (also older ones up to 10.7) systems b= ut also in some N2N connections with older boards (JNC9C) where it was no pro= blem. The generation time for the PKI but also for every new generated client= grows by the usage of more bits but also the key exchange needs a little lon= ger. > Or should we rather not make this > decision for our users and pick the best that works for everyone? We did that some time ago where we double the bits from 1024 to 2048 (HOST) a= nd 2048 to 4096 (ROOT). The OpenVPN hardening page suggests for a "future sys= tem near term use" specified to 10 years, 3072 bit or more --> https://commun= ity.openvpn.net/openvpn/wiki/Hardening#X.509keysize . The reference material = is from a ENISA report from 2013 which is now also some time ago. Another interesting topic might be ECC. Since OpenVPN-2.4.x elliptic curve cr= ypto has been introduced whereby the comparison between RSA and ECC seems to = be interesting in terms of the different Algorithm-key sizes. Haven=C2=B4t fo= und the original NSA paper but in here --> http://www.atmel.com/Images/Atmel-= 8951-CryptoAuth-RSA-ECC-Comparison-Embedded-Systems-WhitePaper.pdf under tabl= e one a security comparison can be found. To get the whole ECC PKI into ovpnmain.cgi might be not so fast done but i th= ink in a not so far future it might be also a standard. Greetings, Erik --===============9093526009141116273==--