Re: [PATCH] Disallow OpenVPN DH params less than 1024 bits

[ue <ummeegge@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 4017 bytes --]

Hi Timmothy Wilson,
we left the 1024 bit choice at this time in cause it provides a shortened time for the whole X509 generation. On slow boards or systems with less entropy the DH generation can take also with 2048 bit DH-parameter a long time (measured at this time up to 10 minutes with 2048 bits) . We´ve made at development time a short list which you can find here -->  http://wiki.ipfire.org/en/configuration/services/openvpn/extensions/zertkonvert where you can find also the needed time for DH-parameter generation. May 10 Minutes for an e.g. ALIX board is a lot and may too much ? Nevertheless you can upload external generated DH-parameter over the WUI --> http://wiki.ipfire.org/en/configuration/services/openvpn/config/upload_gen so a prepackaged DH-parameter can also be uploaded but the generation time can be left short too.

Another thing is, could you may provide more informations about the insecurity of 2048 bit DH-parameters ? On OpenVPN hardening side they called it "Use of 2048-bit is a good minimum." --> https://community.openvpn.net/openvpn/wiki/Hardening . Shurley a longer parameter increases security but needs also lots of more time to generate and with the usage of the upload function may a better way by only hint the 1024 parameter as insecure so both is possible ?

May an "insecure" hint in the flip menu is enough ? A possible "insecure" hint could also be placed for the "Hash algorithm" in "Cryptographic options" for SHA1 --> https://www.schneier.com/blog/archives/2005/02/sha1_broken.html <-- from 2005 :-( .

Some suggestions from here.

Greetings,

Erik


Am 23.11.2015 um 15:18 schrieb IT Superhack:

> The OpenVPN CGI offers to create a DH param. The patch below disables
> the generation of 1024 bit params and marks 2048 bit params as
> weak/insecure.
> 
> It is recommended to use DH params with at least 3072 bits, shorter ones
> are considered as insecure. The patch does not affect systems where
> already DH params were created.
> 
> Sorry for the crappy line breaks by my mail agent, but it cannot switch
> this off and git send-email does not work on my system (starttls issues).
> 
> Signed-off-by: Timmothy Wilson <itsuperhack(a)web.de>
> ---
> html/cgi-bin/ovpnmain.cgi | 3 +--
> langs/de/cgi-bin/de.pl    | 1 +
> 2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 62af54e..4813128 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -1313,8 +1313,7 @@ END
> 		<form method='post'><input type='hidden' name='AREUSURE' value='yes' />
> 		<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
> 			<select name='DHLENGHT'>
> -				<option value='1024' $selected{'DHLENGHT'}{'1024'}>1024
> $Lang::tr{'bit'}</option>
> -				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048
> $Lang::tr{'bit'}</option>
> +				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048
> $Lang::tr{'bit'} ($Lang::tr{'insecure'})</option>
> 				<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072
> $Lang::tr{'bit'}</option>
> 				<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096
> $Lang::tr{'bit'}</option>
> 			</select>
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index 2bca854..bfed92b 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -1291,6 +1291,7 @@
> 'incorrect password' => 'Fehlerhaftes Passwort',
> 'info' => 'Info',
> 'init string' => 'Initialisierung:',
> +'insecure' => 'unsicher',
> 'insert floppy' => 'Legen Sie eine formatierte Diskette in das
> Floppy-Laufwerk in IPFire und klicken auf <i>Datensicherung auf
> Diskette</i>, um die Systemeinstellungen zu sichern.  Überprüfen Sie das
> Ergebnis sorgfältig, um sicher zu sein, dass die Datensicherung
> vollständig und erfolgreich abgeschlossen wurde.',
> 'install' => 'Installieren',
> 'install new update' => 'Installiere neues Update:',
> -- 
> 1.8.4.5
> 
>