Project

General

Profile

Bug #8582

Ship RFC 7919-provided DH groups

Added by Justin Coffman 9 months ago. Updated 8 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Operating System
Target version:
Start date:
06/19/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

Currently, pfSense ships DH groups at sizes 1024, 2048, and 4096, with no statement as to how/where/when these groups were generated. Current best practice is to ship and use DH groups from RFC 7919, Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS). The DH group values provided in this RFC have been audited for security, and are the safest values for end-users. 1024-bit groups are not provided, as this size is considered insufficient for security, so 1024-bit groups would have to be generated and shipped, but the RFC provides values for 2048, 3072, 4096, 6144, and 8192-bit groups.

History

#1 Updated by Justin Coffman 9 months ago

GitHub PR filed referencing this issue: https://github.com/pfsense/pfsense/pull/3951

#2 Updated by Jim Pingle 9 months ago

  • Category set to Operating System
  • Assignee set to Jim Pingle
  • Target version set to 2.4.4
  • Affected Version set to All
  • Affected Architecture set to All

#3 Updated by Jim Pingle 9 months ago

  • Status changed from New to Feedback

PR Merged

#4 Updated by Jim Pingle 9 months ago

Looks good here so far. GUI still works in a variety of different browsers/platforms (Firefox and Chrome on Linux, Mac, and Windows. Opera on Linux, IE on Windows 10), OpenVPN clients can still connect to servers using the new DH parameters.

No problems found so far, but I'd like a little more feedback about OpenVPN clients on different platforms like Windows clients, Android clients, iOS clients, and so on. I don't expect any problems but it's best to be certain.

#5 Updated by James Dekker 9 months ago

On 2.4.4.a.20180707.0234, DH Group 17 and 18 on Phase one and PFS key group 17 and 18 seem to work when an android strongswan client connects.

#6 Updated by James Dekker 9 months ago

On 2.4.4.a.20180707.0234, DH parameter length 6144 and 8192 both seem to work when an android OpenVPN client connects.

#7 Updated by Jim Pingle 8 months ago

  • Status changed from Feedback to Resolved

No problems so far, tested a variety of scenarios that would use the new DH groups (GUI, OpenVPN, etc)

Also available in: Atom PDF