On 04/04/2017 10:48, Steffan Karger wrote: > Hi, > > On 3 April 2017 at 23:14, Selva Nair <selva.n...@gmail.com> wrote: >> >> >> On Mon, Apr 3, 2017 at 4:43 PM, David Sommerseth >> <open...@sf.lists.topphemmelig.net> wrote: >>> >>> On 03/04/17 16:12, Jan Just Keijser wrote: >>>> Hi Samuli, >>>> >>>> On 03/04/17 15:53, Samuli Seppänen wrote: >>>>> On 02/04/2017 10:57, Steffan Karger wrote: >> >> >> snip.. >> >>> >>>>>> DSA is _not_ a preferred choice. The original 1024-bit DSA is too >>>>>> weak >>>>>> nowadays, and the 'larger' DSA variants are not even close to the wide >>>>>> support that RSA has. >>>>>> >>>>>> -Steffan >>>>>> >>>>> Hi, >>>>> >>>>> I've issue a pull request here and review would be appreciated: >>>>> >>>>> <https://github.com/OpenVPN/easy-rsa-old/pull/1> >>>>> >>>>> I tested these changes on Debian 8 which has OpenSSL-1.0.1. Key size >>>>> was >>>>> set to 4096-bits and signature algorithm to SHA256WithRSAEncryption. >>>>> >>>>> The only real issue was DH parameter generation: it took ~25 minutes on >>>>> my Intel i5 laptop. Is that acceptable default behavior? >>>>> >>>> what kind of i5 is this? on my i7-4810 it took 5 minutes. Can you give >>>> the full CPUID string (from /proc/cpuinfo) ? then I can >>>> guestimate whether the 25 minutes is realistic for slower hardware. >>> >>> I've run a a couple of "quick" tests ... on a two different laptops >>> >>> --- test 1 ---------------------------------------------------------- >>> $ time openssl gendh -out test 4096 >>> [...snip...] >>> >>> real 35m40.098s >>> user 35m38.922s >>> sys 0m0.367s >>> $ cat /proc/cpuinfo | grep model\ name | uniq -c >>> 4 model name : Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz >> >> >> 4096 bit "strong" prime is indeed an intensive computation.. Is using >> -dsaparam option not secure enough? >> >> openssl dhparam -dsaparam -out test 4096 >> >> is 15 seconds vs forever without it on my ancient desktop. > > From the openssl man page: > > "Beware that with such DSA-style DH parameters, a fresh DH key should > be created for each use to avoid small-subgroup attacks that may be > possible otherwise." > > This means that if for some reason a non-ephemeral diffie-hellman > cipher suite is selected, you are at risk of these attacks. > > If you are worried about the parameter generation time, just use one > of the IETF-provided parameters, e.g: > https://tools.ietf.org/html/rfc7919#appendix-A.2 > > But beware that using larger groups does not only slow down parameter > generation, it also slows down connection setup. ECDH is much faster, > but if you need to use DH, do some performance tests before blindly > using 4096-bits parameters. >
As discussed in the pull request we could easily make EasyRSA 2 use a different keysize for the Diffie-Hellman parameters and for the private key. Would that be the easiest way out? -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
0x40864578.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
