Bug #8582
closed
Ship RFC 7919-provided DH groups
Added by Anonymous almost 6 years ago.
Updated almost 6 years ago.
Category:
Operating System
Affected Architecture:
All
Description
Currently, pfSense ships DH groups at sizes 1024, 2048, and 4096, with no statement as to how/where/when these groups were generated. Current best practice is to ship and use DH groups from RFC 7919, Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS). The DH group values provided in this RFC have been audited for security, and are the safest values for end-users. 1024-bit groups are not provided, as this size is considered insufficient for security, so 1024-bit groups would have to be generated and shipped, but the RFC provides values for 2048, 3072, 4096, 6144, and 8192-bit groups.
- Category set to Operating System
- Assignee set to Jim Pingle
- Target version set to 2.4.4
- Affected Version set to All
- Affected Architecture All added
- Affected Architecture deleted (
- Status changed from New to Feedback
Looks good here so far. GUI still works in a variety of different browsers/platforms (Firefox and Chrome on Linux, Mac, and Windows. Opera on Linux, IE on Windows 10), OpenVPN clients can still connect to servers using the new DH parameters.
No problems found so far, but I'd like a little more feedback about OpenVPN clients on different platforms like Windows clients, Android clients, iOS clients, and so on. I don't expect any problems but it's best to be certain.
On 2.4.4.a.20180707.0234, DH Group 17 and 18 on Phase one and PFS key group 17 and 18 seem to work when an android strongswan client connects.
On 2.4.4.a.20180707.0234, DH parameter length 6144 and 8192 both seem to work when an android OpenVPN client connects.
- Status changed from Feedback to Resolved
No problems so far, tested a variety of scenarios that would use the new DH groups (GUI, OpenVPN, etc)
Also available in: Atom
PDF
Updated by