From mboxrd@z Thu Jan 1 00:00:00 1970 From: ue To: development@lists.ipfire.org Subject: Re: [PATCH] Mark recommended ciphers/algorithms Date: Sat, 02 Jan 2016 14:03:40 +0100 Message-ID: <76593C6C-4FD6-43C9-8FAF-D0808AE40E7B@ipfire.org> In-Reply-To: <1449767773.31655.108.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2452060907792436979==" List-Id: --===============2452060907792436979== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi all, and for the first a good new year to you all. >=20 > I agree, that it is desirable to use longer keys. However, I am not > sure if it is a good idea to go all the way for 4096 bit and not only > for e.g. 2048 bit. Why not 8192 even? >=20 > I would like to read some justification for the values that are picked. >=20 > Furthermore, I think that we the upper bound should be something that > the average IPFire box is able to handle. tried that now with OpenVPN whereby i added a flip menu in the 'Generate Root= /Host Certificate' section as it is for the Diffie-Hellman parameter so the k= eylengths aren=C2=B4t hardcoded anymore and can be configured by the user. Ad= ded for the root CA 4096, 8192 and 16348 tit lengths selection possibilities = and for the host CA 2048, 4096, 8192 and also 16348 bit. The configured keyle= ngth for the host CA was also used for the control channel. The Root CA generation took 31 minutes for a 16348 bit keylength, the Host CA= 12 minutes for 8192 bit and a 1024 bit DH-parameter needed 2 minutes which i= s in summary ~ 45 minutes. The generation time differs also on every generati= on. The creation of a new client PKCS#12 package for 8192 bit needed 3 minutes. The key exchange with a Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-= AES256-GCM-SHA384, 8192 bit RSA needed 10 sec. All tests was made with a JNC9C --> http://fireinfo.ipfire.org/profile/72d11e= 77621ec66ea75d39e3c9b10025e746e5af and without HWRNG or PRNG . If someone is interested in a ovpnmain.cgi diff and/or more testing results l= et it me know. Greetings, Erik --===============2452060907792436979==--