Bug #8582
closed
Ship RFC 7919-provided DH groups
0%
Description
Currently, pfSense ships DH groups at sizes 1024, 2048, and 4096, with no statement as to how/where/when these groups were generated. Current best practice is to ship and use DH groups from RFC 7919, Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS). The DH group values provided in this RFC have been audited for security, and are the safest values for end-users. 1024-bit groups are not provided, as this size is considered insufficient for security, so 1024-bit groups would have to be generated and shipped, but the RFC provides values for 2048, 3072, 4096, 6144, and 8192-bit groups.
Updated by Anonymous almost 6 years ago
GitHub PR filed referencing this issue: https://github.com/pfsense/pfsense/pull/3951
Updated by Jim Pingle almost 6 years ago
- Category set to Operating System
- Assignee set to Jim Pingle
- Target version set to 2.4.4
- Affected Version set to All
- Affected Architecture All added
- Affected Architecture deleted (
)
Updated by Jim Pingle almost 6 years ago
Looks good here so far. GUI still works in a variety of different browsers/platforms (Firefox and Chrome on Linux, Mac, and Windows. Opera on Linux, IE on Windows 10), OpenVPN clients can still connect to servers using the new DH parameters.
No problems found so far, but I'd like a little more feedback about OpenVPN clients on different platforms like Windows clients, Android clients, iOS clients, and so on. I don't expect any problems but it's best to be certain.
Updated by Anonymous almost 6 years ago
On 2.4.4.a.20180707.0234, DH Group 17 and 18 on Phase one and PFS key group 17 and 18 seem to work when an android strongswan client connects.
Updated by Anonymous almost 6 years ago
On 2.4.4.a.20180707.0234, DH parameter length 6144 and 8192 both seem to work when an android OpenVPN client connects.
Updated by Jim Pingle almost 6 years ago
- Status changed from Feedback to Resolved
No problems so far, tested a variety of scenarios that would use the new DH groups (GUI, OpenVPN, etc)