public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] IPsec/OpenVPN: Use 4, 096-bit RSA for host certificates as well
Date: Thu, 03 Nov 2022 16:43:07 +0000	[thread overview]
Message-ID: <C1C03AE5-738B-4CD3-99F5-44E59E14396F@ipfire.org> (raw)
In-Reply-To: <06498720-4e0d-a58f-5914-b46cd91d755b@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 4187 bytes --]

Hello Peter,

This is great.

We picked 2048 to be able to generate those keys very quickly. Since that has been a long time ago and the average hardware has become a lot faster - and RDRAND is a lot more common - this is some great change!

Best,
-Michael

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 3 Nov 2022, at 15:29, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> We already moved away from 2048-MODP in Core Update 170. Similarly,
> German Federal Office for Information Security (BSI) recommends shifting
> away from RSA keys below 3,000 bits by the end of 2022 at the latest.
> 
> The only place left in IPFire 2.x where we generate such keys is for
> IPsec and OpenVPN host certificates. This patch increases their key
> sizes to 4,096 bits as well - CA certificates already have this length.
> 
> Existing VPN connections cannot be migrated automatically. However, only
> the respective host certificate has to be regenerated - thanks to the CA
> certificates' key length being sufficient, there is no need to replace
> the entire VPN CA.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> html/cgi-bin/ovpnmain.cgi | 10 ++++------
> html/cgi-bin/vpnmain.cgi  |  4 ++--
> 2 files changed, 6 insertions(+), 8 deletions(-)
> 
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 90d3710e4..f85d610d8 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -2,7 +2,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2014  IPFire Team  <info(a)ipfire.org>                     #
> +# Copyright (C) 2007-2022  IPFire Team  <info(a)ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -18,9 +18,7 @@
> # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
> #                                                                             #
> ###############################################################################
> -###
> -# Based on IPFireCore 77
> -###
> +
> use CGI;
> use CGI qw/:standard/;
> use Imager::QRCode;
> @@ -1970,7 +1968,7 @@ END
>    }
> } else { # child
>    unless (exec ('/usr/bin/openssl', 'req', '-nodes',
> - '-newkey', 'rsa:2048',
> + '-newkey', 'rsa:4096',
> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
> '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
> '-extensions', 'server',
> @@ -4363,7 +4361,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
> }
>    } else { # child
> unless (exec ('/usr/bin/openssl', 'req', '-nodes',
> - '-newkey', 'rsa:2048',
> + '-newkey', 'rsa:4096',
> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
> '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index fc250b1f5..6c1fd4cf0 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -1093,7 +1093,7 @@ END
> &General::log("ipsec", "Creating host cert...");
> if (open(STDIN, "-|")) {
> my $opt = " req -sha256 -nodes";
> - $opt .= " -newkey rsa:2048";
> + $opt .= " -newkey rsa:4096";
> $opt .= " -keyout ${General::swroot}/certs/hostkey.pem";
> $opt .= " -out ${General::swroot}/certs/hostreq.pem";
> $errormessage = &callssl ($opt);
> @@ -2139,7 +2139,7 @@ END
> 
> if (open(STDIN, "-|")) {
> my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
> - $opt .= " -newkey rsa:2048";
> + $opt .= " -newkey rsa:4096";
> $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
> $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
> 
> -- 
> 2.35.3


      reply	other threads:[~2022-11-03 16:43 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-03 15:29 [PATCH] IPsec/OpenVPN: Use 4,096-bit " Peter Müller
2022-11-03 16:43 ` Michael Tremer [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=C1C03AE5-738B-4CD3-99F5-44E59E14396F@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox