I have upgraded to latest - IPFire 2.25 (i586) - Core Update 155
after Cryptographic error: The Diffie-Hellman parameter needs to be in minimum 2048 bit!
I have recreated root/host/DH/TLS-Auth-key - but still the Cryptographic warning appears I should upgrade to latest version - that is already done.
Should I care about that warning ? Or how to remove it if it is irrelevant ?
Thank You.
ummeegge
(Erik Kapfer)
29 April 2021 14:51
2
Hi,
causing the logjam attack → https://community.openvpn.net/openvpn/wiki/Logjam , this check has been added whereby this message appears if the dh-parameter is under 2048 bit → git.ipfire.org Git - ipfire-2.x.git/blob - html/cgi-bin/ovpnmain.cgi . IPFire should create an 2048 bit dh-parameter by default if you´ve created a new PKI. You can check the parameter length via WUI or with an
openssl dhparam -text -in /var/ipfire/ovpn/ca/dh1024.pem
If it is under 2048 bit you can create a new one via IPFire → wiki.ipfire.org - Generate Server certificates and keys which may take very long or you can create it on a faster machine with OpenSSL with an
openssl dhparam -out dhparam.pem 2048
and upload it via OpenVPN WUI.
Best,
Erik
Hi Erik.
Thanks for (known) answer, but even if I have 2048 lengths ok,
still the warning appears…
Cryptographic warning
Your host certificate is not RFC3280 compliant.
also should I care about this warning anymore ?
or how to vanish it ? I don’t want to generate something again - I have already about 30 OVPN RoadWarriors recreated…
ummeegge
(Erik Kapfer)
1 May 2021 04:22
4
This message should then disappear by reloading the page.
does not. I have it still showing on 2 of 4 ipfire I have under control (the two without this warning was installed like latest - there must be some residuals on the two oldest machines that causes reappearing of the warning - perhaps because those were build from very old images and updated - and not installed from newer image which doesn’t suffer from this error…) (?)
ummeegge
(Erik Kapfer)
7 May 2021 07:18
6
Have tested it here too with an 1024bit dh-parameter where the message appears. Substituted it then with 2048bit have reloaded the page and the warning disappeared. Did you made a diff of the local ovpnmain.cgi with the current actual → https://git.ipfire.org/?p=ipfire-2.x.git;a=blob_plain;f=html/cgi-bin/ovpnmain.cgi;hb=refs/heads/core156 ?
1 Like
yes, all is same (except line 50 - but that is about themes, also non related to this…)
ummeegge
(Erik Kapfer)
7 May 2021 12:04
8
What happens if you comment the ‘pkiconfigcheck’ (line 103) → git.ipfire.org Git - ipfire-2.x.git/blob - html/cgi-bin/ovpnmain.cgi reload the page and uncomment it and reloading the page again ?
if commented: NO WARNING
if uncommented (original file state) and F5 (page refresh): warning reappears again