On Thu, May 21, 2015 at 3:58 PM, Jan Just Keijser <janj...@nikhef.nl> wrote: > On 21/05/15 15:11, Kapetanakis Giannis wrote: >> Just a heads up on this new attack >> https://weakdh.org/ >> > the short gist of this attack is: upgrade your DH param file to 2048 > bits or more otherwise you're vulnerable :)
This is true, but in the case of OpenVPN the case is less horrible, because: 1) OpenVPN encourages users to generate their own DH-group using 'openssl dhparam', instead of using common groups. The man page / examples used to provide 1024 bits DH keys (updated to 2048 recently), and although 1024 bits dh params *can* be broken, that is still *very* expensive. Probably too expensive for your data if you don't share the group with others. 2) OpenVPN's tls-auth feature can prevent the downgrade attack on TLS from happening (but, only if you use tls-auth, of course). Still, use DH params of at least 2048 bits, please! Upgrading is easy and only needs a change on the server. Generate new params using e.g.: openssl dhparam -out dh3072.pem 3072 update your server config to use this file: dh dh3072.pem and restart the server. -Steffan ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users