OpenVPN Server defaults to SHA1
-
auth SHA512;
in the advanced config doesn't do it for you?
-
That worked! Didn't know I can do that lol
The only question that I have is that when I export the ovpn file, it still shows SHA1. Does that mean that I'll need to manually modify it each time? Or is there some setting I need to fix?
-
auth in OpenVPN is for HMAC, it's not related to what your certificates use. It's GUI-controllable in 2.2. If you want to use something else in 2.1x or earlier versions, you'll have to specify it as a custom option in the client export and make sure it matches the server's config there. There is no need to change it because of your certificates though. SHA1 is OpenVPN's default for HMAC.
-
It doesn't look like the client export pulls special settings from the server (hard to tell which need to be in the client anyway.)
If you want client export to default to auth SHA512; I think you'll need to modify the php used for the config page.
That is /usr/local/www/vpn_openvpn_export.php
The line in question would look like this:
Will not survive upgrades/reinstalls/etc. Should survive reboots. Caveat emptor, YMMV, "voids warranty", etc.
Otherwise just put it in advanced options every time.
-
From a security standpoint, is it worth changing it? Also, what is the default hash that pfSense uses when creating user certs (when creating the user). I know I can manually create a cert you can change it to whatever you want, but when you create it from the user creation screen, it doesn't ask you the hash type/size.
-
There's no need to change the HMAC alg, it's not like certs where SHA1 is no longer recommended.
-
What's the default cert algorithm?
-
Dude, really?
 -
I said I know how to do it when you manually create a cert. My question was about creating a cert when you create a user.
-
Looks like sha256.
