From patchwork Wed Aug 20 15:42:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4367 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:c414:b0:671:5a2c:6455 with SMTP id jt20csp2752217mab; Wed, 20 Aug 2025 08:42:53 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXOIM3fxe1wngEvzKDKE1whyTgQ/cCHjXVxrYH+I+YFMcZbykTzGKkxDgDHGxSGIxlgatmG2AsCHbk=@openvpn.net X-Google-Smtp-Source: AGHT+IGksdAhcGJXnrtKzGn7hTBkejK0+m1cwO16nKdmPN3gS94P86Uyw8L3T5qnfy9KVb4AXTDA X-Received: by 2002:a05:6808:1527:b0:433:fc99:d231 with SMTP id 5614622812f47-43772000a3cmr1936897b6e.5.1755704573119; Wed, 20 Aug 2025 08:42:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1755704573; cv=none; d=google.com; s=arc-20240605; b=YqO2udZ2dmJIRxhVUmZ+5I/0LiUFdxPvZfYvlHAtR1OCb4qk6JFMPG5LQbNotDxDA6 EoO0Bh4xJRLLh2KN2zUxtoYgFOyIrv0wSAGS9/YS/Y6s5hOcrjyZs9wod+gD1lKOyoHV AUQ/XJ8VVkqht6OuhvOLe22d64sBf0i7SdljZzK2XlnRCSnuPXbBUQjdbGonEx7K702j EexGMNfVhNHAgn2MXrwLvDgrBbpsVJGGn6X9oRDBGhb/QoDAGQyDGo+AxKHpqwtSeJ0A OK6sDbn4biVOlDqIKkSkriQucvSQ3pB2k28QNOmituA0/lriUhuyliOhcTy8eKa9BwjC xFKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=KLzs1fmr3d3+t/YX6UWFJAq7oVtEY20mrgk4L0ldbtg=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=PAI8D5ZHEitW5BWHjNixToRWsr56xsmDt0OwrmsQswyBFqVBCrcUP3yWMStuXNM4kb CCr1QYX1oK6HGoxf9YKscn8N1L1vPB3KPdagCCqc5YkdyJ039aPjbd8N34v8NOlGpao8 W8NL+lH1PjDeInX0KhzqBs93n3mJj//GmjXjAzFv50/PhRTKQBuMBs9ZVuKK2G4ZhyuT tfpRxaB9+Wid7N//HjXU1gYkSv5CbMOFiiyxWFmZkk/2PL02N6SA2/lE9Kz03nbPwib+ uJQJDctIJ0xG3oc6Q4ug985rLrONaW7A4Js9FU8j/JAVz2uNhezMylVcE4pjgDDbRiRI 8otQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=aBJRvVTo; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=f9iEbDOE; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=b1DYUc0v; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-435ed24c1desi2671194b6e.156.2025.08.20.08.42.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Aug 2025 08:42:52 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=aBJRvVTo; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=f9iEbDOE; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=b1DYUc0v; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=KLzs1fmr3d3+t/YX6UWFJAq7oVtEY20mrgk4L0ldbtg=; b=aBJRvVToJD8IM4Ar2VnL99NIzZ /nVbQGay7o48LL0rJLFaGPGNntyLU5lrlWObbPH6WQkacs/dXcJHDaADUncdg1jjMnG4WPjlOOopb Vxokv+k1KQtJgUQGeuUcJ5pDI3Z7mLxRUwsSNkyDWidjDB3W1gbkN8GyuCi7Ai7g8FBU=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uokxe-0001Z8-9K; Wed, 20 Aug 2025 15:42:50 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uokxb-0001Z0-W4 for openvpn-devel@lists.sourceforge.net; Wed, 20 Aug 2025 15:42:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zWfSXI3wFaBizq1rCrW70Sk8MJ2r3g+E+JYe68AL9lE=; b=f9iEbDOEEhI6Lb2ReatbjhBH2g e7kItkO0jRPU4kN27PQ7qoM6IFu/ArxgQchZtFe7eCYJCUtKHur/UA41C5KaFGQpowf90IZ7cJbgf QWgEXy0CVzSYTf8qKRBNFJ8wWMrXqSBNkWOJNFMQ2zBkDPJgQyqlNIQposD+qPBCFEPM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zWfSXI3wFaBizq1rCrW70Sk8MJ2r3g+E+JYe68AL9lE=; b=b1DYUc0vVkf3odUSwPawo/u7a8 Rooa057jjFdHFM1lvsA2NnSW4iiqsxnes6nJSdOyHQIw+9PKQOXIwfZto4iPN5OHLu9ug0YPhIJP2 3Lw+CnF9ivjy1mAsh4V8KU561NwUud79Bz3Izl8xTf2tqrS5FXYLoyclm6uab2kFf3jw=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uokxa-00062P-Sr for openvpn-devel@lists.sourceforge.net; Wed, 20 Aug 2025 15:42:47 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 57KFgYu8031682 for ; Wed, 20 Aug 2025 17:42:34 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 57KFgYbN031681 for openvpn-devel@lists.sourceforge.net; Wed, 20 Aug 2025 17:42:34 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 20 Aug 2025 17:42:23 +0200 Message-ID: <20250820154234.31656-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Since commit bd9aa06feb41 (Jan 2015) OpenVPN has allowed to use '--dh none' to disable traditional Diffie Hellman, since more secure ECDH algorithms are available that do not use explicit DH parameter [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1uokxa-00062P-Sr Subject: [Openvpn-devel] [PATCH v2] Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1840989678314941904?= X-GMAIL-MSGID: =?utf-8?q?1840989678314941904?= Since commit bd9aa06feb41 (Jan 2015) OpenVPN has allowed to use '--dh none' to disable traditional Diffie Hellman, since more secure ECDH algorithms are available that do not use explicit DH parameters. If configured with a suffiently high securelevel (3+), or if running in FIPS mode, OpenSSL 3.5 will refuse 2048 bit DH files, making our tests fail. Thus, remove all the DH2048 stuff from our sample configs. Github: triggered by OpenVPN/openvpn#819 Change-Id: If66438662bd862a195b2a69c4fa45f63838982b7 Signed-off-by: Gert Doering Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1145 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/sample/sample-config-files/loopback-server b/sample/sample-config-files/loopback-server index 58daeb56..1980218 100644 --- a/sample/sample-config-files/loopback-server +++ b/sample/sample-config-files/loopback-server @@ -17,7 +17,7 @@ verb 3 reneg-sec 10 tls-server -dh sample-keys/dh2048.pem +dh none ca sample-keys/ca.crt key sample-keys/server.key cert sample-keys/server.crt diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index f6d9e65..8943c34 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -87,11 +87,6 @@ cert server.crt key server.key # This file should be kept secret -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh2048.pem 2048 -dh dh2048.pem - # Allow to connect to really old OpenVPN versions # without AEAD support (OpenVPN 2.3.x or older) # This adds AES-256-CBC as fallback cipher and @@ -306,4 +301,4 @@ # Notify the client that when the server restarts so it # can automatically reconnect. -explicit-exit-notify 1 \ No newline at end of file +explicit-exit-notify 1 diff --git a/sample/sample-keys/dh2048.pem b/sample/sample-keys/dh2048.pem deleted file mode 100644 index d393581..0000000 --- a/sample/sample-keys/dh2048.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEAgGOVdT2c3GUITi1pF9u+yo72PRBW7I7SnNIsHmXCRYibpyPMGxKM -ROK6rduMllC0CjiXQZhMfqCg+GIca9xxBPKtTnwtKWD3eH5wgs24kw86mODITjJk -6lTNM8it2HY4UuIQoFCqCdt5f5Gwgh2nwU5+dy731md6pmw9x9jUEXoyh67CeZfb -C45x5ttzjpSBvYe5ZIiUypYKumYhdiZhk0RLefEtlUYF9oXrUExDqfYDpSO/1/X3 -oHC0O0EV3Lh1boZTG7+FjcvMYLIKYUDTmxHpII6/OAHhprg7U9ui1i7GyQRv1lze -QV3FGO4UwLntnv352iYy91b0ls2mwD+zTwIBAg== ------END DH PARAMETERS----- diff --git a/sample/sample-plugins/keying-material-exporter-demo/server.ovpn b/sample/sample-plugins/keying-material-exporter-demo/server.ovpn index 5c670b1..1aabcb9 100644 --- a/sample/sample-plugins/keying-material-exporter-demo/server.ovpn +++ b/sample/sample-plugins/keying-material-exporter-demo/server.ovpn @@ -8,7 +8,7 @@ ca ../../sample-keys/ca.crt cert ../../sample-keys/server.crt key ../../sample-keys/server.key -dh ../../sample-keys/dh2048.pem +dh none server 10.8.0.0 255.255.255.0 port 1194