Hi all, and for the first a good new year to you all.
I agree, that it is desirable to use longer keys. However, I am not sure if it is a good idea to go all the way for 4096 bit and not only for e.g. 2048 bit. Why not 8192 even?
I would like to read some justification for the values that are picked.
Furthermore, I think that we the upper bound should be something that the average IPFire box is able to handle.
tried that now with OpenVPN whereby i added a flip menu in the 'Generate Root/Host Certificate' section as it is for the Diffie-Hellman parameter so the keylengths arenĀ“t hardcoded anymore and can be configured by the user. Added for the root CA 4096, 8192 and 16348 tit lengths selection possibilities and for the host CA 2048, 4096, 8192 and also 16348 bit. The configured keylength for the host CA was also used for the control channel.
The Root CA generation took 31 minutes for a 16348 bit keylength, the Host CA 12 minutes for 8192 bit and a 1024 bit DH-parameter needed 2 minutes which is in summary ~ 45 minutes. The generation time differs also on every generation. The creation of a new client PKCS#12 package for 8192 bit needed 3 minutes. The key exchange with a Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 8192 bit RSA needed 10 sec.
All tests was made with a JNC9C --> http://fireinfo.ipfire.org/profile/72d11e77621ec66ea75d39e3c9b10025e746e5af and without HWRNG or PRNG .
If someone is interested in a ovpnmain.cgi diff and/or more testing results let it me know.
Greetings,
Erik