From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] IPsec/OpenVPN: Use 4, 096-bit RSA for host certificates as well
Date: Thu, 03 Nov 2022 16:43:07 +0000
Message-ID: <C1C03AE5-738B-4CD3-99F5-44E59E14396F@ipfire.org>
In-Reply-To: <06498720-4e0d-a58f-5914-b46cd91d755b@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4779405158376856129=="
List-Id: <development.lists.ipfire.org>

--===============4779405158376856129==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Peter,

This is great.

We picked 2048 to be able to generate those keys very quickly. Since that has=
 been a long time ago and the average hardware has become a lot faster - and =
RDRAND is a lot more common - this is some great change!

Best,
-Michael

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 3 Nov 2022, at 15:29, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wro=
te:
>=20
> We already moved away from 2048-MODP in Core Update 170. Similarly,
> German Federal Office for Information Security (BSI) recommends shifting
> away from RSA keys below 3,000 bits by the end of 2022 at the latest.
>=20
> The only place left in IPFire 2.x where we generate such keys is for
> IPsec and OpenVPN host certificates. This patch increases their key
> sizes to 4,096 bits as well - CA certificates already have this length.
>=20
> Existing VPN connections cannot be migrated automatically. However, only
> the respective host certificate has to be regenerated - thanks to the CA
> certificates' key length being sufficient, there is no need to replace
> the entire VPN CA.
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> html/cgi-bin/ovpnmain.cgi | 10 ++++------
> html/cgi-bin/vpnmain.cgi  |  4 ++--
> 2 files changed, 6 insertions(+), 8 deletions(-)
>=20
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 90d3710e4..f85d610d8 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -2,7 +2,7 @@
> ###########################################################################=
####
> #                                                                          =
   #
> # IPFire.org - A linux based firewall                                      =
   #
> -# Copyright (C) 2007-2014  IPFire Team  <info(a)ipfire.org>               =
      #
> +# Copyright (C) 2007-2022  IPFire Team  <info(a)ipfire.org>               =
      #
> #                                                                          =
   #
> # This program is free software: you can redistribute it and/or modify     =
   #
> # it under the terms of the GNU General Public License as published by     =
   #
> @@ -18,9 +18,7 @@
> # along with this program.  If not, see <http://www.gnu.org/licenses/>.    =
   #
> #                                                                          =
   #
> ###########################################################################=
####
> -###
> -# Based on IPFireCore 77
> -###
> +
> use CGI;
> use CGI qw/:standard/;
> use Imager::QRCode;
> @@ -1970,7 +1968,7 @@ END
>    }
> } else { # child
>    unless (exec ('/usr/bin/openssl', 'req', '-nodes',
> - '-newkey', 'rsa:2048',
> + '-newkey', 'rsa:4096',
> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
> '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
> '-extensions', 'server',
> @@ -4363,7 +4361,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
> }
>    } else { # child
> unless (exec ('/usr/bin/openssl', 'req', '-nodes',
> - '-newkey', 'rsa:2048',
> + '-newkey', 'rsa:4096',
> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
> '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index fc250b1f5..6c1fd4cf0 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -1093,7 +1093,7 @@ END
> &General::log("ipsec", "Creating host cert...");
> if (open(STDIN, "-|")) {
> my $opt =3D " req -sha256 -nodes";
> - $opt .=3D " -newkey rsa:2048";
> + $opt .=3D " -newkey rsa:4096";
> $opt .=3D " -keyout ${General::swroot}/certs/hostkey.pem";
> $opt .=3D " -out ${General::swroot}/certs/hostreq.pem";
> $errormessage =3D &callssl ($opt);
> @@ -2139,7 +2139,7 @@ END
>=20
> if (open(STDIN, "-|")) {
> my $opt =3D " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
> - $opt .=3D " -newkey rsa:2048";
> + $opt .=3D " -newkey rsa:4096";
> $opt .=3D " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
> $opt .=3D " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
>=20
> --=20
> 2.35.3


--===============4779405158376856129==--