| Summary: | OpenVPN: Remove DH parameter | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | Michael Tremer <michael.tremer> |
| Component: | --- | Assignee: | Michael Tremer <michael.tremer> |
| Status: | CLOSED FIXED | QA Contact: | |
| Severity: | - Unknown - | ||
| Priority: | - Unknown - | CC: | adolf.belka |
| Version: | 2 | ||
| Hardware: | unspecified | ||
| OS: | Unspecified | ||
| Bug Depends on: | |||
| Bug Blocks: | 13633 | ||
The DH parameter in OpenVPN was changed to the fixed ffdhe4096 group some time early last year I think. If you are finding code to do with DH generation still in the ovpnmain.cgi then that must have been left behind when the DH parameter was changed. Certainly on the main OpenVPN page when you generate the x509 root/host certificate set then there is no longer any option to generate or upload the DH parameter. You are right. I had the same feeling but couldn't find it in the changes. Sometime I feel we have done something and then we didn't.
I remove the last remaining traces of this:
> https://git.ipfire.org/?p=people/ms/ipfire-2.x.git;a=commitdiff;h=13db7c9b16e9b0c2e74924736cdcaede6366377b
|
There is an option to generate a DH parameter which has since always been a cause for trouble. General advice is now to use a precomputed one: > https://datatracker.ietf.org/doc/html/rfc7919 We should discard any previously generated ones and only use the regenerated ones.