Hi,
so I guess this patch does two things:
a) Mark some ciphers, etc. as weak
b) Changes the default integrity to SHA512
The first part is absolutely fine with me. We have been doing the same for IPsec.
The latter one however, I am not so sure about. I consider SHA1 as broken, but that is true for some other things here as well. So I would like to propose to leave this untouched so far and change these when we upgrade to OpenVPN 2.4.
Then, we can also change to AES-GCM or something better even. That is still up for debate. Though. But at least we won't change defaults twice.
-Michael
On Sun, 2018-01-07 at 11:34 +0100, Peter Müller wrote:
Default hash algorithm is now SHA512 instead of SHA1, but the description text has not been updated, yet.
Further, make sure that 1024 bit DH parameters are always marked as weak.
Signed-off-by: Peter Müller peter.mueller@link38.eu
html/cgi-bin/ovpnmain.cgi | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 638e8ef0f..71fd6f06b 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2002,7 +2002,7 @@ END </select></td>
<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td> <td class='base'><select name='DHLENGHT'> - <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option> + <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'})</option> <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option> <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option> <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option> @@ -2847,7 +2847,7 @@ print <<END; <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> </select> </td> - <td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td> + <td>$Lang::tr{'openvpn default'}: <span class="base">SHA2 (512 $Lang::tr{'bit'})</span></td> </tr> </table>
@@ -4567,10 +4567,9 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DAUTH'}{'SHA384'} = ''; $selected{'DAUTH'}{'SHA256'} = ''; $selected{'DAUTH'}{'SHA1'} = '';
- # If no hash algorythm has been choosen yet, select
- # the old default value (SHA1) for compatiblity reasons.
- # Use SHA512 as default. if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
- $cgiparams{'DAUTH'} = 'SHA512'; } $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';