Re: [PATCH] OpenVPN: Valid til days is required with OpenVPN-2.4.x

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3596 bytes --]

How relevant is this one here?

  https://bugzilla.ipfire.org/show_bug.cgi?id=10482

-Michael

On Mon, 2018-06-18 at 08:21 -0400, Tom Rymes wrote:
> Erik,
> 
> Tossing this back on the list, I hope you don't mind.
> 
> My apologies, I was unclear. What I mean is that the user will *want* a 
> longer lifetime, even though the longest *possible* lifetime will be too 
> long for security reasons.
> 
> In other words, my suggestion would be to use the longest lifetime 
> consistent with best practices, like those that you include below.
> 
> Tom
> 
> On 06/18/2018 8:00 AM, ummeegge wrote:
> > Hi Tom,
> > in my opinion this is the wrong suggestion since we circumvent in fact
> > the new security feature from OpenSSL. The longest lifetime would be
> > then '999998' days which is adequate to ~2740 years whereby we and our
> > systems possibly wont go through :D .
> > 
> > Additionally OpenVPNs hardening wiki --> https://community.openvpn.net/openv
> > pn/wiki/Hardening#X.509keysize
> > points a so called "future system near term use" (data are from Enisa) out
> > whereby 3072 bit RSA key lenghts and more are recommended to stay safe in
> > Enisa definitions for at least 10 years (research was from 2013) but IPFire
> > uses
> > currently 2048 bit RSA for the host certificate.
> > 
> > May not representative but Microsoft said in 2009 something like this:
> > 
> > Key length of 1024:  Validity period = not greater than 6-12 monthsKey
> > length of 2048:  Validity period = not greater than 2 yearsKey length of
> > 4096:  Validity period = not greater than 16 years
> > 
> > <-- is from https://cloudblogs.microsoft.com/enterprisemobility/2009/06/12/r
> > ecommendations-for-pki-key-lengths-and-validity-periods-with-configuration-
> > manager/
> > 
> > May there are more actual papers for that...
> > 
> > 
> > Best,
> > 
> > Erik
> > 
> > 
> > Am Montag, den 18.06.2018, 06:27 -0400 schrieb Tom Rymes:
> > > I’d suggest that most users likely want the longest lifetime for
> > > their certs that they can get, so as to avoid the need to frequently
> > > replace expired certificates.
> > > 
> > > This is especially true because there is no way to recreate certs in
> > > the WUI when they expire, so you have to delete the entry and
> > > recreate it when that happens.
> > > 
> > > https://bugzilla.ipfire.org/show_bug.cgi?id=11742
> > > 
> > > My $0.02,
> > > 
> > > Tom
> > > 
> > > On Jun 18, 2018, at 3:56 AM, ummeegge <ummeegge(a)ipfire.org> wrote:
> > > 
> > > > Hi Michael,
> > > > yes but the needs in there can differs a lot so the question arises
> > > > what is a good default ?
> > > > Another idea might be to add another (or a range of possible days)
> > > > text
> > > > for that field ?
> > > > May the error message if an entry triggers one can also be
> > > > extended.
> > > > 
> > > > Greetings,
> > > > 
> > > > Erik
> > > > 
> > > > Am Sonntag, den 17.06.2018, 19:14 +0100 schrieb Michael Tremer:
> > > > > Hello,
> > > 
> > > can we also set a good default value for this?
> > > 
> > > 
> > > This can be a little bit confusing for new users and it would be good
> > > 
> > > to have
> > > 
> > > some guidance. It can be a separate patch.
> > > 
> > > 
> > > Best,
> > > 
> > > -Michael
> > > 
> > > 
> > > On Fri, 2018-06-15 at 14:59 +0200, ummeegge wrote:
> > > 
> > > > 
> > > > Have seen it too late to announce it in the commit message but this
> > > > patch solves also Bug #11715
> > > > 
> > > > Best,
> > > > 
> > > > Erik
> 
>