From patchwork Thu Nov  3 15:29:32 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 6068
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4N373T2HkZz3wdF
	for <patchwork@web04.haj.ipfire.org>; Thu,  3 Nov 2022 15:29:41 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4N373S0svxz1fj;
	Thu,  3 Nov 2022 15:29:40 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4N373R6rV5z2ySh;
	Thu,  3 Nov 2022 15:29:39 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4N373Q4fYWz2xJk
 for <development@lists.ipfire.org>; Thu,  3 Nov 2022 15:29:38 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4N373N4mddz15L
 for <development@lists.ipfire.org>; Thu,  3 Nov 2022 15:29:36 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1667489378;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=3JiS0rwXI/f93NfwTdKXS0Vd3f2VaKy4OIlqBvizFmg=;
 b=HKXsSGeVyidDXA6M19cuoIa3fFmU6TP1E/KW9A/jcFV7XYEh1u+E7KSzUfEgImeYM0E6Hy
 UKz3jYCB5D13TqDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1667489378;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=3JiS0rwXI/f93NfwTdKXS0Vd3f2VaKy4OIlqBvizFmg=;
 b=sU61/QCbBmNSJxSY9eHePfv+NNipwVManmb7DulAUnydL9cluwaVvLuigTBR8TO/FFS18J
 NR7Ma7Ehk8ZumeCKISYO6FplGeqQzSyhym6icz/nUQ3Eer4nCu5Ws8w7eBShmRxg6UFfvm
 h+9CvbiPC36s2kJDW2AgLZU8jL0hXP+wodyrQDTCQ25WGUriQaYvBkmujN/m8bkh1OTuUf
 L3hoYFE66ZTuylV1RO8Ve2PX7xAW9yqh1M/9Uf4PsB06+RIGPpIt3BfvrOPNSJcMxO81IR
 NcQi9IkNTvZr8vIwZZrIX9KKzoiEvVmOwh6ZZxyn8NbnuADCZsSSxvw7TkPw2w==
Message-ID: <06498720-4e0d-a58f-5914-b46cd91d755b@ipfire.org>
Date: Thu, 3 Nov 2022 15:29:32 +0000
MIME-Version: 1.0
Content-Language: en-US
To: "IPFire: Development" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH] IPsec/OpenVPN: Use 4,096-bit RSA for host certificates as
 well
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

We already moved away from 2048-MODP in Core Update 170. Similarly,
German Federal Office for Information Security (BSI) recommends shifting
away from RSA keys below 3,000 bits by the end of 2022 at the latest.

The only place left in IPFire 2.x where we generate such keys is for
IPsec and OpenVPN host certificates. This patch increases their key
sizes to 4,096 bits as well - CA certificates already have this length.

Existing VPN connections cannot be migrated automatically. However, only
the respective host certificate has to be regenerated - thanks to the CA
certificates' key length being sufficient, there is no need to replace
the entire VPN CA.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 10 ++++------
 html/cgi-bin/vpnmain.cgi  |  4 ++--
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 90d3710e4..f85d610d8 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2014  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -18,9 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
 #                                                                             #
 ###############################################################################
-###
-# Based on IPFireCore 77
-###
+
 use CGI;
 use CGI qw/:standard/;
 use Imager::QRCode;
@@ -1970,7 +1968,7 @@ END
 	    }
 	} else {	# child
 	    unless (exec ('/usr/bin/openssl', 'req', '-nodes',
-			'-newkey', 'rsa:2048',
+			'-newkey', 'rsa:4096',
 			'-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
 			'-out', "${General::swroot}/ovpn/certs/serverreq.pem",
 			'-extensions', 'server',
@@ -4363,7 +4361,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
 		}
 	    } else {	# child
 		unless (exec ('/usr/bin/openssl', 'req', '-nodes',
-			'-newkey', 'rsa:2048',
+			'-newkey', 'rsa:4096',
 			'-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
 			'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
 			'-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index fc250b1f5..6c1fd4cf0 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1093,7 +1093,7 @@ END
 			&General::log("ipsec", "Creating host cert...");
 			if (open(STDIN, "-|")) {
 				my $opt = " req -sha256 -nodes";
-				$opt .= " -newkey rsa:2048";
+				$opt .= " -newkey rsa:4096";
 				$opt .= " -keyout ${General::swroot}/certs/hostkey.pem";
 				$opt .= " -out ${General::swroot}/certs/hostreq.pem";
 				$errormessage = &callssl ($opt);
@@ -2139,7 +2139,7 @@ END
 
 		if (open(STDIN, "-|")) {
 			my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
-			$opt .= " -newkey rsa:2048";
+			$opt .= " -newkey rsa:4096";
 			$opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
 			$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";