Project

General

Profile

Actions

Bug #8582

closed

Ship RFC 7919-provided DH groups

Added by Anonymous over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Operating System
Target version:
Start date:
06/19/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

Currently, pfSense ships DH groups at sizes 1024, 2048, and 4096, with no statement as to how/where/when these groups were generated. Current best practice is to ship and use DH groups from RFC 7919, Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS). The DH group values provided in this RFC have been audited for security, and are the safest values for end-users. 1024-bit groups are not provided, as this size is considered insufficient for security, so 1024-bit groups would have to be generated and shipped, but the RFC provides values for 2048, 3072, 4096, 6144, and 8192-bit groups.

Actions #1

Updated by Anonymous over 6 years ago

GitHub PR filed referencing this issue: https://github.com/pfsense/pfsense/pull/3951

Actions #2

Updated by Jim Pingle over 6 years ago

  • Category set to Operating System
  • Assignee set to Jim Pingle
  • Target version set to 2.4.4
  • Affected Version set to All
  • Affected Architecture All added
  • Affected Architecture deleted ()
Actions #3

Updated by Jim Pingle over 6 years ago

  • Status changed from New to Feedback

PR Merged

Actions #4

Updated by Jim Pingle over 6 years ago

Looks good here so far. GUI still works in a variety of different browsers/platforms (Firefox and Chrome on Linux, Mac, and Windows. Opera on Linux, IE on Windows 10), OpenVPN clients can still connect to servers using the new DH parameters.

No problems found so far, but I'd like a little more feedback about OpenVPN clients on different platforms like Windows clients, Android clients, iOS clients, and so on. I don't expect any problems but it's best to be certain.

Actions #5

Updated by Anonymous over 6 years ago

On 2.4.4.a.20180707.0234, DH Group 17 and 18 on Phase one and PFS key group 17 and 18 seem to work when an android strongswan client connects.

Actions #6

Updated by Anonymous over 6 years ago

On 2.4.4.a.20180707.0234, DH parameter length 6144 and 8192 both seem to work when an android OpenVPN client connects.

Actions #7

Updated by Jim Pingle over 6 years ago

  • Status changed from Feedback to Resolved

No problems so far, tested a variety of scenarios that would use the new DH groups (GUI, OpenVPN, etc)

Actions

Also available in: Atom PDF