Project

General

Profile

Actions
Copy link

Regression #16421

open

OpenVPN servers will not start with DH parameters < 2048

Added by Jim Pingle 3 days ago. Updated 3 days ago.

Status:
New
Priority:
High
Assignee:
-
Category:
OpenVPN
Target version:
2.9.0
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
25.11
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

On current Plus 25.11 and CE 2.9.0 snapshots, OpenVPN servers will not start if they have a DH parameter size of 1024 in the configuration:

<dh_length>1024</dh_length>

A recent upstream change in OpenSSL appears to have enacted a new lower limit for security:

Sep 9 14:23:39     openvpn     86194     OpenSSL: error:0A00018A:SSL routines::dh key too small:
Sep 9 14:23:39     openvpn     86194     SSL_CTX_set0_tmp_dh_pkey
Sep 9 14:23:39     openvpn     86194     Exiting due to fatal error

We need some upgrade code to bump those to 2048 (or higher) on all server instances.

We also need to remove the 1024 choice from the drop-down and remove the file with the 1024 DH material and so on.

In the meantime those testing snapshots can edit the server and choose a DH value >= 2048.

Actions
Copy link

Also available in: Atom PDF