Ship RFC 7919-provided DH groups
Currently, pfSense ships DH groups at sizes 1024, 2048, and 4096, with no statement as to how/where/when these groups were generated. Current best practice is to ship and use DH groups from RFC 7919, Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS). The DH group values provided in this RFC have been audited for security, and are the safest values for end-users. 1024-bit groups are not provided, as this size is considered insufficient for security, so 1024-bit groups would have to be generated and shipped, but the RFC provides values for 2048, 3072, 4096, 6144, and 8192-bit groups.
#4 Updated by Jim Pingle over 1 year ago
Looks good here so far. GUI still works in a variety of different browsers/platforms (Firefox and Chrome on Linux, Mac, and Windows. Opera on Linux, IE on Windows 10), OpenVPN clients can still connect to servers using the new DH parameters.
No problems found so far, but I'd like a little more feedback about OpenVPN clients on different platforms like Windows clients, Android clients, iOS clients, and so on. I don't expect any problems but it's best to be certain.