Re: [Openvpn-devel] Upgrading EasyRSA 2's defaults

Mon, 03 Apr 2017 14:17:39 -0700 

On Mon, Apr 3, 2017 at 4:43 PM, David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:

> On 03/04/17 16:12, Jan Just Keijser wrote:
> > Hi Samuli,
> >
> > On 03/04/17 15:53, Samuli Seppänen wrote:
> >> On 02/04/2017 10:57, Steffan Karger wrote:
>

snip..


> >>> DSA is _not_ a preferred choice.  The original 1024-bit DSA is too weak
> >>> nowadays, and the 'larger' DSA variants are not even close to the wide
> >>> support that RSA has.
> >>>
> >>> -Steffan
> >>>
> >> Hi,
> >>
> >> I've issue a pull request here and review would be appreciated:
> >>
> >> <https://github.com/OpenVPN/easy-rsa-old/pull/1>
> >>
> >> I tested these changes on Debian 8 which has OpenSSL-1.0.1. Key size was
> >> set to 4096-bits and signature algorithm to SHA256WithRSAEncryption.
> >>
> >> The only real issue was DH parameter generation: it took ~25 minutes on
> >> my Intel i5 laptop. Is that acceptable default behavior?
> >>
> > what kind of i5 is this? on my i7-4810 it took 5 minutes. Can you give
> the full CPUID string (from /proc/cpuinfo) ?  then I can
> > guestimate whether the 25 minutes is realistic for slower hardware.
>
> I've run a a couple of "quick" tests ... on a two different laptops
>
> --- test 1 ----------------------------------------------------------
> $ time openssl gendh -out test 4096
> [...snip...]
>
> real    35m40.098s
> user    35m38.922s
> sys     0m0.367s
> $ cat /proc/cpuinfo  | grep model\ name | uniq -c
>       4 model name      : Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
>

4096 bit "strong" prime is indeed an intensive computation.. Is using
-dsaparam  option not secure enough?

openssl dhparam -dsaparam -out test 4096

is 15 seconds vs forever without it on my ancient desktop.

Selva

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to