Logjam - DH and OpenVPN
-
Hi!
What is the implication of this here for my OpenVPN connections:
https://weakdh.org/
…and what to do now? :-o
kind regards
chemlud
-
Since I use both OpenVPN in PfSense and OpenVPN Access Server (commercial version) is that by default it generates 2048 bit DH keys. I set mine to 4K in PfSense so should be pretty safe from this type of attack.
Keep in mind the tunnel is still using 256 bit encryption which is still safe. It's the keys they are after. If they get that then that 256 bit encryption not gonna offer any kind of protection regardless of bit size.
-
More information about the Logjam and OpenVPN:
http://blog.ayaz.pk/2015/05/25/securing-openvpn-against-logjam/
-
More interesting is: how are the pfSense DH parameters generated? Are they built-in and equal for each installation or do they get generated while/after installing a new machine? And if I want to replace them, how can I do so? Documentation falls short unfortunately.
Kind regards,
Dennis -
The DH parameters are static and included in the repository. It is not difficult to generate new ones, but it can be very time consuming depending on the hardware in use.
https://doc.pfsense.org/index.php/Importing_OpenVPN_DH_Parameters
The time it takes to generate the DH parameters makes it highly impractical to generate them "on the fly" especially on older hardware. Even on current hardware it would add significant time to operations to re-generate them dynamically.
-
Thanks for your answer and your link to the docs. I generated my own already a month ago which I feel is more safe then using the default :).