Hello Peter, This is great. We picked 2048 to be able to generate those keys very quickly. Since that has been a long time ago and the average hardware has become a lot faster - and RDRAND is a lot more common - this is some great change! Best, -Michael Reviewed-by: Michael Tremer > On 3 Nov 2022, at 15:29, Peter Müller wrote: > > We already moved away from 2048-MODP in Core Update 170. Similarly, > German Federal Office for Information Security (BSI) recommends shifting > away from RSA keys below 3,000 bits by the end of 2022 at the latest. > > The only place left in IPFire 2.x where we generate such keys is for > IPsec and OpenVPN host certificates. This patch increases their key > sizes to 4,096 bits as well - CA certificates already have this length. > > Existing VPN connections cannot be migrated automatically. However, only > the respective host certificate has to be regenerated - thanks to the CA > certificates' key length being sufficient, there is no need to replace > the entire VPN CA. > > Signed-off-by: Peter Müller > --- > html/cgi-bin/ovpnmain.cgi | 10 ++++------ > html/cgi-bin/vpnmain.cgi | 4 ++-- > 2 files changed, 6 insertions(+), 8 deletions(-) > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index 90d3710e4..f85d610d8 100644 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -2,7 +2,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2014 IPFire Team # > +# Copyright (C) 2007-2022 IPFire Team # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -18,9 +18,7 @@ > # along with this program. If not, see . # > # # > ############################################################################### > -### > -# Based on IPFireCore 77 > -### > + > use CGI; > use CGI qw/:standard/; > use Imager::QRCode; > @@ -1970,7 +1968,7 @@ END > } > } else { # child > unless (exec ('/usr/bin/openssl', 'req', '-nodes', > - '-newkey', 'rsa:2048', > + '-newkey', 'rsa:4096', > '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", > '-out', "${General::swroot}/ovpn/certs/serverreq.pem", > '-extensions', 'server', > @@ -4363,7 +4361,7 @@ if ($cgiparams{'TYPE'} eq 'net') { > } > } else { # child > unless (exec ('/usr/bin/openssl', 'req', '-nodes', > - '-newkey', 'rsa:2048', > + '-newkey', 'rsa:4096', > '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", > '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", > '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi > index fc250b1f5..6c1fd4cf0 100644 > --- a/html/cgi-bin/vpnmain.cgi > +++ b/html/cgi-bin/vpnmain.cgi > @@ -1093,7 +1093,7 @@ END > &General::log("ipsec", "Creating host cert..."); > if (open(STDIN, "-|")) { > my $opt = " req -sha256 -nodes"; > - $opt .= " -newkey rsa:2048"; > + $opt .= " -newkey rsa:4096"; > $opt .= " -keyout ${General::swroot}/certs/hostkey.pem"; > $opt .= " -out ${General::swroot}/certs/hostreq.pem"; > $errormessage = &callssl ($opt); > @@ -2139,7 +2139,7 @@ END > > if (open(STDIN, "-|")) { > my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; > - $opt .= " -newkey rsa:2048"; > + $opt .= " -newkey rsa:4096"; > $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; > $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; > > -- > 2.35.3