Hi,
On Sat, 2016-01-02 at 14:03 +0100, ue wrote:
Hi all, and for the first a good new year to you all.
I agree, that it is desirable to use longer keys. However, I am not sure if it is a good idea to go all the way for 4096 bit and not only for e.g. 2048 bit. Why not 8192 even?
I would like to read some justification for the values that are picked.
Furthermore, I think that we the upper bound should be something that the average IPFire box is able to handle.
tried that now with OpenVPN whereby i added a flip menu in the 'Generate Root/Host Certificate' section as it is for the Diffie -Hellman parameter so the keylengths aren´t hardcoded anymore and can be configured by the user. Added for the root CA 4096, 8192 and 16348 tit lengths selection possibilities and for the host CA 2048, 4096, 8192 and also 16348 bit. The configured keylength for the host CA was also used for the control channel.
Is it even possible to use arbitrary key lengths with OpenVPN?
16k is really really long.
The Root CA generation took 31 minutes for a 16348 bit keylength, the Host CA 12 minutes for 8192 bit and a 1024 bit DH-parameter needed 2 minutes which is in summary ~ 45 minutes. The generation time differs also on every generation. The creation of a new client PKCS#12 package for 8192 bit needed 3 minutes. The key exchange with a Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 8192 bit RSA needed 10 sec.
This sounds increadible fast to me. We had devices on which that took way longer.
I have recently seen a talk about using /dev/urandom instead. This is probably worth a watch: https://www.youtube.com/watch?v=Q8JAlZ-HJQI
All tests was made with a JNC9C --> http://fireinfo.ipfire.org/profil e/72d11e77621ec66ea75d39e3c9b10025e746e5af and without HWRNG or PRNG .
If someone is interested in a ovpnmain.cgi diff and/or more testing results let it me know.
You can post it as a patch on here and add a note that this is for testing only and not (yet?) intended to be merged.
Greetings,
Erik
Best, -Michael