Cryptographic warning - still reappears

I have upgraded to latest - IPFire 2.25 (i586) - Core Update 155

  • after Cryptographic error: The Diffie-Hellman parameter needs to be in minimum 2048 bit!

I have recreated root/host/DH/TLS-Auth-key - but still the Cryptographic warning appears I should upgrade to latest version - that is already done.

Should I care about that warning ? Or how to remove it if it is irrelevant ?

Thank You.

causing the logjam attack → , this check has been added whereby this message appears if the dh-parameter is under 2048 bit → Git - ipfire-2.x.git/blob - html/cgi-bin/ovpnmain.cgi . IPFire should create an 2048 bit dh-parameter by default if you´ve created a new PKI. You can check the parameter length via WUI or with an

openssl dhparam -text -in /var/ipfire/ovpn/ca/dh1024.pem

If it is under 2048 bit you can create a new one via IPFire → - Generate Server certificates and keys which may take very long or you can create it on a faster machine with OpenSSL with an

openssl dhparam -out dhparam.pem 2048

and upload it via OpenVPN WUI.



Hi Erik.

Thanks for (known) answer, but even if I have 2048 lengths ok,


still the warning appears…

Cryptographic warning

Your host certificate is not RFC3280 compliant.

also should I care about this warning anymore ?

or how to vanish it ? I don’t want to generate something again - I have already about 30 OVPN RoadWarriors recreated… :expressionless:

This message should then disappear by reloading the page.

does not. :frowning: I have it still showing on 2 of 4 ipfire I have under control (the two without this warning was installed like latest - there must be some residuals on the two oldest machines that causes reappearing of the warning - perhaps because those were build from very old images and updated - and not installed from newer image which doesn’t suffer from this error…) (?)

Have tested it here too with an 1024bit dh-parameter where the message appears. Substituted it then with 2048bit have reloaded the page and the warning disappeared. Did you made a diff of the local ovpnmain.cgi with the current actual →;a=blob_plain;f=html/cgi-bin/ovpnmain.cgi;hb=refs/heads/core156 ?

1 Like

yes, all is same (except line 50 - but that is about themes, also non related to this…)

What happens if you comment the ‘pkiconfigcheck’ (line 103) → Git - ipfire-2.x.git/blob - html/cgi-bin/ovpnmain.cgi reload the page and uncomment it and reloading the page again ?

if commented: NO WARNING :slight_smile:

if uncommented (original file state) and F5 (page refresh): warning reappears again :frowning: