From mboxrd@z Thu Jan 1 00:00:00 1970 From: ue To: development@lists.ipfire.org Subject: Re: [PATCH] Disallow OpenVPN DH params less than 1024 bits Date: Tue, 24 Nov 2015 15:14:26 +0100 Message-ID: In-Reply-To: <5653202F.1050604@web.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2829867726292567496==" List-Id: --===============2829867726292567496== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Timmothy Wilson, we left the 1024 bit choice at this time in cause it provides a shortened tim= e for the whole X509 generation. On slow boards or systems with less entropy = the DH generation can take also with 2048 bit DH-parameter a long time (measu= red at this time up to 10 minutes with 2048 bits) . We=C2=B4ve made at develo= pment time a short list which you can find here --> http://wiki.ipfire.org/e= n/configuration/services/openvpn/extensions/zertkonvert where you can find al= so the needed time for DH-parameter generation. May 10 Minutes for an e.g. AL= IX board is a lot and may too much ? Nevertheless you can upload external gen= erated DH-parameter over the WUI --> http://wiki.ipfire.org/en/configuration/= services/openvpn/config/upload_gen so a prepackaged DH-parameter can also be = uploaded but the generation time can be left short too. Another thing is, could you may provide more informations about the insecurit= y of 2048 bit DH-parameters ? On OpenVPN hardening side they called it "Use o= f 2048-bit is a good minimum." --> https://community.openvpn.net/openvpn/wiki= /Hardening . Shurley a longer parameter increases security but needs also lot= s of more time to generate and with the usage of the upload function may a be= tter way by only hint the 1024 parameter as insecure so both is possible ? May an "insecure" hint in the flip menu is enough ? A possible "insecure" hin= t could also be placed for the "Hash algorithm" in "Cryptographic options" fo= r SHA1 --> https://www.schneier.com/blog/archives/2005/02/sha1_broken.html <-= - from 2005 :-( . Some suggestions from here. Greetings, Erik Am 23.11.2015 um 15:18 schrieb IT Superhack: > The OpenVPN CGI offers to create a DH param. The patch below disables > the generation of 1024 bit params and marks 2048 bit params as > weak/insecure. >=20 > It is recommended to use DH params with at least 3072 bits, shorter ones > are considered as insecure. The patch does not affect systems where > already DH params were created. >=20 > Sorry for the crappy line breaks by my mail agent, but it cannot switch > this off and git send-email does not work on my system (starttls issues). >=20 > Signed-off-by: Timmothy Wilson > --- > html/cgi-bin/ovpnmain.cgi | 3 +-- > langs/de/cgi-bin/de.pl | 1 + > 2 files changed, 2 insertions(+), 2 deletions(-) >=20 > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index 62af54e..4813128 100644 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -1313,8 +1313,7 @@ END >
> > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > index 2bca854..bfed92b 100644 > --- a/langs/de/cgi-bin/de.pl > +++ b/langs/de/cgi-bin/de.pl > @@ -1291,6 +1291,7 @@ > 'incorrect password' =3D> 'Fehlerhaftes Passwort', > 'info' =3D> 'Info', > 'init string' =3D> 'Initialisierung:', > +'insecure' =3D> 'unsicher', > 'insert floppy' =3D> 'Legen Sie eine formatierte Diskette in das > Floppy-Laufwerk in IPFire und klicken auf Datensicherung auf > Diskette, um die Systemeinstellungen zu sichern. =C3=9Cberpr=C3=BCfen = Sie das > Ergebnis sorgf=C3=A4ltig, um sicher zu sein, dass die Datensicherung > vollst=C3=A4ndig und erfolgreich abgeschlossen wurde.', > 'install' =3D> 'Installieren', > 'install new update' =3D> 'Installiere neues Update:', > --=20 > 1.8.4.5 >=20 >=20 --===============2829867726292567496==--