Regression #16421: OpenVPN servers will not start with DH parameters < 2048 - pfSense - pfSense bugtracker

Regression #16421

On current Plus 25.11 and CE 2.9.0 snapshots, OpenVPN servers will not start if they have a DH parameter size of @1024@ in the configuration: 

 <pre><code class="xml"> 
 <dh_length>1024</dh_length> 
 </code></pre> 

 A recent upstream change in OpenSSL appears to have enacted a new lower limit for security: 

 <pre> 
 Sep 9 14:23:39  	 openvpn  	 86194  	 OpenSSL: error:0A00018A:SSL routines::dh key too small: 
 Sep 9 14:23:39  	 openvpn  	 86194  	 SSL_CTX_set0_tmp_dh_pkey 
 Sep 9 14:23:39  	 openvpn  	 86194  	 Exiting due to fatal error  
 </pre> 

 We need some upgrade code to bump those to 2048 (or higher) on all server instances. 

 We also need to remove the 1024 choice from the drop-down and remove the file with the 1024 DH material and so on. 

 In the meantime those testing snapshots can edit the server and choose a DH value >= 2048.

Back

Project

General

Profile

pfSense

Regression #16421