Bug 13635 - OpenVPN: Remove DH parameter
Summary: OpenVPN: Remove DH parameter
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: - Unknown - - Unknown -
Assignee: Michael Tremer
QA Contact:
URL:
Keywords:
Depends on:
Blocks: OPENVPN-2024
  Show dependency treegraph
 
Reported: 2024-03-19 16:06 UTC by Michael Tremer
Modified: 2024-04-08 17:36 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Tremer 2024-03-19 16:06:39 UTC 
There is an option to generate a DH parameter which has since always been a cause for trouble. General advice is now to use a precomputed one:

> https://datatracker.ietf.org/doc/html/rfc7919

We should discard any previously generated ones and only use the regenerated ones.
Comment 1 Adolf Belka 2024-03-19 16:47:39 UTC 
The DH parameter in OpenVPN was changed to the fixed ffdhe4096 group some time early last year I think.

If you are finding code to do with DH generation still in the ovpnmain.cgi then that must have been left behind when the DH parameter was changed.

Certainly on the main OpenVPN page when you generate the x509 root/host certificate set then there is no longer any option to generate or upload the DH parameter.
Comment 2 Michael Tremer 2024-03-20 10:19:13 UTC 
You are right. I had the same feeling but couldn't find it in the changes. Sometime I feel we have done something and then we didn't.

I remove the last remaining traces of this:

> https://git.ipfire.org/?p=people/ms/ipfire-2.x.git;a=commitdiff;h=13db7c9b16e9b0c2e74924736cdcaede6366377b