From: ue <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Mark recommended ciphers/algorithms
Date: Sat, 02 Jan 2016 14:03:40 +0100 [thread overview]
Message-ID: <76593C6C-4FD6-43C9-8FAF-D0808AE40E7B@ipfire.org> (raw)
In-Reply-To: <1449767773.31655.108.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 1595 bytes --]
Hi all,
and for the first a good new year to you all.
>
> I agree, that it is desirable to use longer keys. However, I am not
> sure if it is a good idea to go all the way for 4096 bit and not only
> for e.g. 2048 bit. Why not 8192 even?
>
> I would like to read some justification for the values that are picked.
>
> Furthermore, I think that we the upper bound should be something that
> the average IPFire box is able to handle.
tried that now with OpenVPN whereby i added a flip menu in the 'Generate Root/Host Certificate' section as it is for the Diffie-Hellman parameter so the keylengths aren´t hardcoded anymore and can be configured by the user. Added for the root CA 4096, 8192 and 16348 tit lengths selection possibilities and for the host CA 2048, 4096, 8192 and also 16348 bit. The configured keylength for the host CA was also used for the control channel.
The Root CA generation took 31 minutes for a 16348 bit keylength, the Host CA 12 minutes for 8192 bit and a 1024 bit DH-parameter needed 2 minutes which is in summary ~ 45 minutes. The generation time differs also on every generation.
The creation of a new client PKCS#12 package for 8192 bit needed 3 minutes.
The key exchange with a Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 8192 bit RSA needed 10 sec.
All tests was made with a JNC9C --> http://fireinfo.ipfire.org/profile/72d11e77621ec66ea75d39e3c9b10025e746e5af and without HWRNG or PRNG .
If someone is interested in a ovpnmain.cgi diff and/or more testing results let it me know.
Greetings,
Erik
next prev parent reply other threads:[~2016-01-02 13:03 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-23 14:18 [PATCH] Disallow OpenVPN DH params less than 1024 bits IT Superhack
2015-11-24 14:14 ` ue
2015-12-01 22:58 ` Michael Tremer
2015-12-02 9:07 ` IT Superhack
2015-12-02 10:47 ` Michael Tremer
2015-12-02 18:19 ` IT Superhack
2015-12-07 16:35 ` [PATCH] Mark recommended ciphers/algorithms IT Superhack
2015-12-10 17:16 ` Michael Tremer
2015-12-13 15:10 ` IT Superhack
2015-12-13 17:47 ` Larsen
2015-12-15 14:13 ` Michael Tremer
2015-12-15 15:03 ` Larsen
2015-12-15 21:18 ` Michael Tremer
2015-12-16 8:06 ` Larsen
2015-12-18 16:12 ` IT Superhack
2016-01-01 16:54 ` IT Superhack
2016-01-04 16:31 ` Michael Tremer
2016-01-10 16:29 ` IT Superhack
2016-01-10 22:22 ` Michael Tremer
2016-01-02 13:03 ` ue [this message]
2016-01-04 16:36 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=76593C6C-4FD6-43C9-8FAF-D0808AE40E7B@ipfire.org \
--to=ummeegge@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox