From patchwork Sun Jan 7 21:34:50 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1594 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 6230360D8C for ; Sun, 7 Jan 2018 13:30:13 +0100 (CET) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 10B671E3F; Sun, 7 Jan 2018 13:30:13 +0100 (CET) Received: from mx.link38.eu (mx.link38.eu [IPv6:2a03:4000:17:39a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 6AB4F1E3F for ; Sun, 7 Jan 2018 13:30:10 +0100 (CET) X-Virus-Scanned: ClamAV at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id BEF424023E for ; Sun, 7 Jan 2018 13:30:04 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id 93AF19F41D for ; Sun, 7 Jan 2018 13:29:23 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=link38.eu; s=201711; t=1515328163; x=1578400163; bh=kzMnEJ+HQqMa+S8N/b/+g11p1CGVQX8rwGLSth+MHfI=; h=Date:From:To:Subject:Message-ID:Content-Type:From:To:Subject:Date: Cc; b=NHA7ITLWCksQbMDdW9tK5IkgeC4B/UUKo6TvAwmX0+0A1dhuep6YLj96GvOJnOXcJ aZpBc5maq6NxBny4fYMyN0GjNjRlAFIj7o9T/WWwuVh6gskLACcuPVQvwLaC3+4+KR mejvCHvaM7mtTpRJiZIEUbIy29da/aWY2aEc7MfO8PAl1y9AHSKa8MQ/y8w6N05KDn kWzU/lYyt7GyiHXVqH05lqwV8o7xKMHyVNQcZ3boZsdAQt8U40q3vZJBluWwZaAiuK zFgo82yfRrP9ALrboK4uXwVT1viUu1AITw9lIJKgus8t+r1iSk9E6u8m+iC//qTEJr XNmT/5yrKBbcQ== Date: Sun, 7 Jan 2018 11:34:50 +0100 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH] correct default hash and DH params settings Message-ID: <20180107113450.03a62842.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Default hash algorithm is now SHA512 instead of SHA1, but the description text has not been updated, yet. Further, make sure that 1024 bit DH parameters are always marked as weak. Signed-off-by: Peter Müller --- html/cgi-bin/ovpnmain.cgi | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 638e8ef0f..71fd6f06b 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2002,7 +2002,7 @@ END $Lang::tr{'ovpn dh'}: - $Lang::tr{'openvpn default'}: SHA1 (160 $Lang::tr{'bit'}) + $Lang::tr{'openvpn default'}: SHA2 (512 $Lang::tr{'bit'}) @@ -4567,10 +4567,9 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DAUTH'}{'SHA384'} = ''; $selected{'DAUTH'}{'SHA256'} = ''; $selected{'DAUTH'}{'SHA1'} = ''; - # If no hash algorythm has been choosen yet, select - # the old default value (SHA1) for compatiblity reasons. + # Use SHA512 as default. if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; + $cgiparams{'DAUTH'} = 'SHA512'; } $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';