On Thu, May 21, 2015 at 3:58 PM, Jan Just Keijser <janj...@nikhef.nl> wrote:
> On 21/05/15 15:11, Kapetanakis Giannis wrote:
>> Just a heads up on this new attack
>> https://weakdh.org/
>>
> the short gist of this attack is:  upgrade your DH param file to 2048
> bits or more otherwise you're vulnerable :)

This is true, but in the case of OpenVPN the case is less horrible, because:

1) OpenVPN encourages users to generate their own DH-group using
'openssl dhparam', instead of using common groups. The man page /
examples used to provide 1024 bits DH keys (updated to 2048 recently),
and although 1024 bits dh params *can* be broken, that is still *very*
expensive. Probably too expensive for your data if you don't share the
group with others.
2) OpenVPN's tls-auth feature can prevent the downgrade attack on TLS
from happening (but, only if you use tls-auth, of course).

Still, use DH params of at least 2048 bits, please! Upgrading is easy
and only needs a change on the server. Generate new params using e.g.:

  openssl dhparam -out dh3072.pem 3072

update your server config to use this file:

  dh dh3072.pem

and restart the server.

-Steffan

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to