On Sat, May 23, 2015 at 4:07 PM, Bonno Bloksma <b.blok...@tio.nl> wrote: >>>> Just a heads up on this new attack >>>> https://weakdh.org/ >>>> >>> the short gist of this attack is: upgrade your DH param file to 2048 >>> bits or more otherwise you're vulnerable :) >> >> This is true, but in the case of OpenVPN the case is less horrible, because: >> >> 1) OpenVPN encourages users to generate their own DH-group using 'openssl >> dhparam', >> instead of using common groups. The man page / examples used to provide 1024 >> bits >> DH keys (updated to 2048 recently), > > Are you sure? I just looked at my setup which I generated many years ago and > it has a dh4096.pem file > I think I generated this using default parameters because I did not > understand much about openvpn and keys at that time. But then again, maybe I > did increase it myself.
Yes, I'm sure. It was this commit where I updated the sample dh params from 1024 to 2048 bits: https://github.com/OpenVPN/openvpn/commit/b77c27a -Steffan ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
