Default hash algorithm is now SHA512 instead of SHA1, but the description text has not been updated, yet.
Further, make sure that 1024 bit DH parameters are always marked as weak.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- html/cgi-bin/ovpnmain.cgi | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 638e8ef0f..71fd6f06b 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2002,7 +2002,7 @@ END </select></td> <tr><td class='base'>$Lang::tr{'ovpn dh'}:</td> <td class='base'><select name='DHLENGHT'> - <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option> + <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'})</option> <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option> <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option> <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option> @@ -2847,7 +2847,7 @@ print <<END; <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> </select> </td> - <td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td> + <td>$Lang::tr{'openvpn default'}: <span class="base">SHA2 (512 $Lang::tr{'bit'})</span></td> </tr> </table>
@@ -4567,10 +4567,9 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DAUTH'}{'SHA384'} = ''; $selected{'DAUTH'}{'SHA256'} = ''; $selected{'DAUTH'}{'SHA1'} = ''; - # If no hash algorythm has been choosen yet, select - # the old default value (SHA1) for compatiblity reasons. + # Use SHA512 as default. if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; + $cgiparams{'DAUTH'} = 'SHA512'; } $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
Hi,
so I guess this patch does two things:
a) Mark some ciphers, etc. as weak
b) Changes the default integrity to SHA512
The first part is absolutely fine with me. We have been doing the same for IPsec.
The latter one however, I am not so sure about. I consider SHA1 as broken, but that is true for some other things here as well. So I would like to propose to leave this untouched so far and change these when we upgrade to OpenVPN 2.4.
Then, we can also change to AES-GCM or something better even. That is still up for debate. Though. But at least we won't change defaults twice.
-Michael
On Sun, 2018-01-07 at 11:34 +0100, Peter Müller wrote:
Default hash algorithm is now SHA512 instead of SHA1, but the description text has not been updated, yet.
Further, make sure that 1024 bit DH parameters are always marked as weak.
Signed-off-by: Peter Müller peter.mueller@link38.eu
html/cgi-bin/ovpnmain.cgi | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 638e8ef0f..71fd6f06b 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2002,7 +2002,7 @@ END </select></td>
<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td> <td class='base'><select name='DHLENGHT'> - <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option> + <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'})</option> <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option> <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option> <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option> @@ -2847,7 +2847,7 @@ print <<END; <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> </select> </td> - <td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td> + <td>$Lang::tr{'openvpn default'}: <span class="base">SHA2 (512 $Lang::tr{'bit'})</span></td> </tr> </table>
@@ -4567,10 +4567,9 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DAUTH'}{'SHA384'} = ''; $selected{'DAUTH'}{'SHA256'} = ''; $selected{'DAUTH'}{'SHA1'} = '';
- # If no hash algorythm has been choosen yet, select
- # the old default value (SHA1) for compatiblity reasons.
- # Use SHA512 as default. if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
- $cgiparams{'DAUTH'} = 'SHA512'; } $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
Hello,
sorry for the late reply.
Hi,
so I guess this patch does two things:
Yes, I know. Better send in two patches...
a) Mark some ciphers, etc. as weak
Yes.
b) Changes the default integrity to SHA512
The default hash setting _is_ SHA512 already, but the description beside it still says it would be SHA1, so I corrected that.
But you are right, the other SHA1 part down below changes used hash algorithm.
The first part is absolutely fine with me. We have been doing the same for IPsec.
The latter one however, I am not so sure about. I consider SHA1 as broken, but that is true for some other things here as well. So I would like to propose to leave this untouched so far and change these when we upgrade to OpenVPN 2.4.
I did not noticed 2.4 to be in development.
Then, we can also change to AES-GCM or something better even. That is still up for debate. Though. But at least we won't change defaults twice.
All right, if you agree, I just send in a small patch correcting the "default" string in the WebUI so we stay consistent here.
Best regards, Peter Müller
-Michael
On Sun, 2018-01-07 at 11:34 +0100, Peter Müller wrote:
Default hash algorithm is now SHA512 instead of SHA1, but the description text has not been updated, yet.
Further, make sure that 1024 bit DH parameters are always marked as weak.
Signed-off-by: Peter Müller peter.mueller@link38.eu
html/cgi-bin/ovpnmain.cgi | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 638e8ef0f..71fd6f06b 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2002,7 +2002,7 @@ END </select></td>
<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td> <td class='base'><select name='DHLENGHT'> - <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option> + <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'})</option> <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option> <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option> <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option> @@ -2847,7 +2847,7 @@ print <<END; <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> </select> </td> - <td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td> + <td>$Lang::tr{'openvpn default'}: <span class="base">SHA2 (512 $Lang::tr{'bit'})</span></td> </tr> </table>
@@ -4567,10 +4567,9 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DAUTH'}{'SHA384'} = ''; $selected{'DAUTH'}{'SHA256'} = ''; $selected{'DAUTH'}{'SHA1'} = '';
- # If no hash algorythm has been choosen yet, select
- # the old default value (SHA1) for compatiblity reasons.
- # Use SHA512 as default. if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
- $cgiparams{'DAUTH'} = 'SHA512'; } $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
-
Michael Tremer -
Peter Müller