correct default hash and DH params settings

Message ID 20180107113450.03a62842.peter.mueller@link38.eu
State Dropped
Headers
Series correct default hash and DH params settings |

Commit Message

Peter Müller Jan. 7, 2018, 9:34 p.m. UTC
  Default hash algorithm is now SHA512 instead of SHA1, but
the description text has not been updated, yet.

Further, make sure that 1024 bit DH parameters are always
marked as weak.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 html/cgi-bin/ovpnmain.cgi | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)
  

Comments

Michael Tremer Jan. 11, 2018, 3:52 a.m. UTC | #1
Hi,

so I guess this patch does two things:

a) Mark some ciphers, etc. as weak

b) Changes the default integrity to SHA512

The first part is absolutely fine with me. We have been doing the same
for IPsec.

The latter one however, I am not so sure about. I consider SHA1 as
broken, but that is true for some other things here as well. So I would
like to propose to leave this untouched so far and change these when we
upgrade to OpenVPN 2.4.

Then, we can also change to AES-GCM or something better even. That is
still up for debate. Though. But at least we won't change defaults
twice.

-Michael

On Sun, 2018-01-07 at 11:34 +0100, Peter Müller wrote:
> Default hash algorithm is now SHA512 instead of SHA1, but
> the description text has not been updated, yet.
> 
> Further, make sure that 1024 bit DH parameters are always
> marked as weak.
> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
>  html/cgi-bin/ovpnmain.cgi | 9 ++++-----
>  1 file changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 638e8ef0f..71fd6f06b 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -2002,7 +2002,7 @@ END
>  	    </select></td>
>  	<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
>  		<td class='base'><select name='DHLENGHT'>
> -				<option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
> +				<option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'})</option>
>  				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
>  				<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
>  				<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
> @@ -2847,7 +2847,7 @@ print <<END;
>  				<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
>  			</select>
>  		</td>
> -		<td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
> +		<td>$Lang::tr{'openvpn default'}: <span class="base">SHA2 (512 $Lang::tr{'bit'})</span></td>
>      </tr>
>  </table>
>  
> @@ -4567,10 +4567,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
>      $selected{'DAUTH'}{'SHA384'} = '';
>      $selected{'DAUTH'}{'SHA256'} = '';
>      $selected{'DAUTH'}{'SHA1'} = '';
> -    # If no hash algorythm has been choosen yet, select
> -    # the old default value (SHA1) for compatiblity reasons.
> +    # Use SHA512 as default.
>      if ($cgiparams{'DAUTH'} eq '') {
> -	$cgiparams{'DAUTH'} = 'SHA1';
> +	$cgiparams{'DAUTH'} = 'SHA512';
>      }
>      $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
>
  
Peter Müller Jan. 21, 2018, 1:57 a.m. UTC | #2
Hello,

sorry for the late reply.

> Hi,
> 
> so I guess this patch does two things:
Yes, I know. Better send in two patches...
> 
> a) Mark some ciphers, etc. as weak
Yes.
> 
> b) Changes the default integrity to SHA512
The default hash setting _is_ SHA512 already, but the description beside
it still says it would be SHA1, so I corrected that.

But you are right, the other SHA1 part down below changes used hash
algorithm.
> 
> The first part is absolutely fine with me. We have been doing the same
> for IPsec.
> 
> The latter one however, I am not so sure about. I consider SHA1 as
> broken, but that is true for some other things here as well. So I would
> like to propose to leave this untouched so far and change these when we
> upgrade to OpenVPN 2.4.
I did not noticed 2.4 to be in development.
> 
> Then, we can also change to AES-GCM or something better even. That is
> still up for debate. Though. But at least we won't change defaults
> twice.
All right, if you agree, I just send in a small patch correcting the
"default" string in the WebUI so we stay consistent here.

Best regards,
Peter Müller
> 
> -Michael
> 
> On Sun, 2018-01-07 at 11:34 +0100, Peter Müller wrote:
> > Default hash algorithm is now SHA512 instead of SHA1, but
> > the description text has not been updated, yet.
> > 
> > Further, make sure that 1024 bit DH parameters are always
> > marked as weak.
> > 
> > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > ---
> >  html/cgi-bin/ovpnmain.cgi | 9 ++++-----
> >  1 file changed, 4 insertions(+), 5 deletions(-)
> > 
> > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> > index 638e8ef0f..71fd6f06b 100644
> > --- a/html/cgi-bin/ovpnmain.cgi
> > +++ b/html/cgi-bin/ovpnmain.cgi
> > @@ -2002,7 +2002,7 @@ END
> >  	    </select></td>
> >  	<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
> >  		<td class='base'><select name='DHLENGHT'>
> > -				<option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
> > +				<option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'})</option>
> >  				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
> >  				<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
> >  				<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
> > @@ -2847,7 +2847,7 @@ print <<END;
> >  				<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
> >  			</select>
> >  		</td>
> > -		<td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
> > +		<td>$Lang::tr{'openvpn default'}: <span class="base">SHA2 (512 $Lang::tr{'bit'})</span></td>
> >      </tr>
> >  </table>
> >  
> > @@ -4567,10 +4567,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
> >      $selected{'DAUTH'}{'SHA384'} = '';
> >      $selected{'DAUTH'}{'SHA256'} = '';
> >      $selected{'DAUTH'}{'SHA1'} = '';
> > -    # If no hash algorythm has been choosen yet, select
> > -    # the old default value (SHA1) for compatiblity reasons.
> > +    # Use SHA512 as default.
> >      if ($cgiparams{'DAUTH'} eq '') {
> > -	$cgiparams{'DAUTH'} = 'SHA1';
> > +	$cgiparams{'DAUTH'} = 'SHA512';
> >      }
> >      $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
> >
  

Patch

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 638e8ef0f..71fd6f06b 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2002,7 +2002,7 @@  END
 	    </select></td>
 	<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
 		<td class='base'><select name='DHLENGHT'>
-				<option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
+				<option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'})</option>
 				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
 				<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
 				<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
@@ -2847,7 +2847,7 @@  print <<END;
 				<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
 			</select>
 		</td>
-		<td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
+		<td>$Lang::tr{'openvpn default'}: <span class="base">SHA2 (512 $Lang::tr{'bit'})</span></td>
     </tr>
 </table>
 
@@ -4567,10 +4567,9 @@  if ($cgiparams{'TYPE'} eq 'net') {
     $selected{'DAUTH'}{'SHA384'} = '';
     $selected{'DAUTH'}{'SHA256'} = '';
     $selected{'DAUTH'}{'SHA1'} = '';
-    # If no hash algorythm has been choosen yet, select
-    # the old default value (SHA1) for compatiblity reasons.
+    # Use SHA512 as default.
     if ($cgiparams{'DAUTH'} eq '') {
-	$cgiparams{'DAUTH'} = 'SHA1';
+	$cgiparams{'DAUTH'} = 'SHA512';
     }
     $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';