From patchwork Wed Aug 20 17:54:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4368 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:c414:b0:671:5a2c:6455 with SMTP id jt20csp2825349mab; Wed, 20 Aug 2025 10:55:20 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVA9wkkwaHgvoyY3dX8Lm8+OsPWX4tKA9pkSYdOhSMpe2BqHnydqZjCCYOhwx7l7kXm1h0HS/Nslp8=@openvpn.net X-Google-Smtp-Source: AGHT+IH/78cZW5Lw+Dxng6MlT2CNaSE5God5PerIjN8m/lIG65BLDlSlOl+noICd4a3T6hN0NMjQ X-Received: by 2002:a05:6808:1995:b0:435:8506:224e with SMTP id 5614622812f47-4377200099amr1757905b6e.4.1755712520045; Wed, 20 Aug 2025 10:55:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1755712520; cv=none; d=google.com; s=arc-20240605; b=ahJ6q7Zjafn3R2/vjY9Y4VYTwKTn9qdgJVgGR2tVvD49yjsfOmLsI+yDiq1feTMrHO 5TWTgi3b0C18/rpo8+fGV9lMztNKLiVZ/K6ONFTExfXCGgQRO1aN0R9SwU/IOXaHmNUR eFEu+OkpJZEY89wA55ipjWOqjSkYryuZriFSvr8YTqRivrRXFiMh1i27TGCsyFO5jLdk se0x912sZdN+BS0RThu7hMxf2BlSU2wwnem+w8tnm75aCR/WmLDMML9gXzoR+iXm1JK1 EcVL4XE6j9tB0GfF5lL0JcCRpvMhVytZAi4eH0yjg4cKbErW3bEbupA5dCaaTruGgLAu HvXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=xi/B//2i5td0rBN4mjJqZLEHu4VEVvRjMdXklR0cFvI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=J5xyeTgfT6i9bnlSCZ2JNY/Mi8Ff/WFOE4MzRzYKdua9FW8XN0EIwEOnRs+PBiIg8M dz2voWLuo8QNqfAzuLfanmM0oy3UeYXE9NZAfpAd/J1tzPSEYJGHnpbuV61z1UR6Z6Um Upm/JT932+ShmhOzp7hXgADVtfGij9JdWGJvUanPbBtmWl3QXf2Nv0Xjw1u7BWlw8EP7 gVZlk3e1KBN0ZxEPBiQ1nPba0LToerV7HUoe6Vv5Ds8DK2dof+7iLJA36j2AreixPoaG D7a0uujCp8cJs+vzMn4S/0H2d0YB4wgBrOzzFyqFsKugMxqhDlikQyHeIRn23/NOSqVt A/Ww==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=dAg5ZxLv; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=HrkKeC9B; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="Yj/vQYN0"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-74391c17683si3102949a34.63.2025.08.20.10.55.19 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Aug 2025 10:55:19 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=dAg5ZxLv; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=HrkKeC9B; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="Yj/vQYN0"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=xi/B//2i5td0rBN4mjJqZLEHu4VEVvRjMdXklR0cFvI=; b=dAg5ZxLviZe00vTbGNHEaH9kQd Id9RoVz6GKn7k7DE9rVl5uGHE7cbzbCzTG8SMKIPYIvJCAxO5A0VeWeaXR+rXnLRN1blTqkizUPlE uRAOWPJ7sXn8ocHi7LCzF8fd9acKgV/LZG7KP778lXgu/S+ZIprcqcXyncRzf4B6Ee+o=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uon1o-0006TK-29; Wed, 20 Aug 2025 17:55:16 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uon1m-0006TB-0T for openvpn-devel@lists.sourceforge.net; Wed, 20 Aug 2025 17:55:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=v3Ff8yBAMvFPBv7WD87Qcr2tywP8pzn+bDyL0lBX8FY=; b=HrkKeC9BICT0VgZDd8bh7o205w dvn1z/mL0AUOmdQB0mS7bz8a4ozR2NJT4ApqaaNnskP8ckO2K4cQPkh5Iz92qRq2JFFTGzcILjJXa RZmjyu+xSgutg1H6jsBVYNmIQbXHoxbJTV4DIWrvfAiOK4RK6ficWtrTc1ubj8roT7zw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=v3Ff8yBAMvFPBv7WD87Qcr2tywP8pzn+bDyL0lBX8FY=; b=Yj/vQYN0CcHKa/QF7FkVsmzuPb NIlrAPytq4lmfjw6tZ5DT4a4cp9a/HkWkElO+u563yCd8XGjzpB7TIjaf0GkknadwSx3t9hnBucUc SVn94RUjeWPq/Ur0WQCOJQop1PZVCd/2bxhfaODozB/gYgKAUQKZoKQRSnUuCVl5mhms=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uon1k-0005eG-Ma for openvpn-devel@lists.sourceforge.net; Wed, 20 Aug 2025 17:55:13 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 57KHt1ZV011245 for ; Wed, 20 Aug 2025 19:55:01 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 57KHt0FK011244 for openvpn-devel@lists.sourceforge.net; Wed, 20 Aug 2025 19:55:00 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 20 Aug 2025 19:54:53 +0200 Message-ID: <20250820175459.11227-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Since commit bd9aa06feb41 (Jan 2015) OpenVPN has allowed to use '--dh none' to disable traditional Diffie Hellman, since more secure ECDH algorithms are available that do not use explicit DH parameter [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1uon1k-0005eG-Ma Subject: [Openvpn-devel] [PATCH v3] Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1840989678314941904?= X-GMAIL-MSGID: =?utf-8?q?1840998011471659027?= Since commit bd9aa06feb41 (Jan 2015) OpenVPN has allowed to use '--dh none' to disable traditional Diffie Hellman, since more secure ECDH algorithms are available that do not use explicit DH parameters. If configured with a suffiently high securelevel (3+), or if running in FIPS mode, OpenSSL 3.5 will refuse 2048 bit DH files, making our tests fail. Thus, remove all the DH2048 stuff from our sample configs. Github: triggered by OpenVPN/openvpn#819 Change-Id: If66438662bd862a195b2a69c4fa45f63838982b7 Signed-off-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1145 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): diff --git a/doc/tests/authentication-plugins.md b/doc/tests/authentication-plugins.md index b47c544..45fa381 100644 --- a/doc/tests/authentication-plugins.md +++ b/doc/tests/authentication-plugins.md @@ -36,7 +36,7 @@ verb 4 dev tun server 10.8.0.0 255.255.255.0 - dh sample/sample-keys/dh2048.pem + dh none ca sample/sample-keys/ca.crt cert sample/sample-keys/server.crt key sample/sample-keys/server.key diff --git a/sample/sample-config-files/loopback-server b/sample/sample-config-files/loopback-server index 58daeb56..1980218 100644 --- a/sample/sample-config-files/loopback-server +++ b/sample/sample-config-files/loopback-server @@ -17,7 +17,7 @@ verb 3 reneg-sec 10 tls-server -dh sample-keys/dh2048.pem +dh none ca sample-keys/ca.crt key sample-keys/server.key cert sample-keys/server.crt diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index f6d9e65..8943c34 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -87,11 +87,6 @@ cert server.crt key server.key # This file should be kept secret -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh2048.pem 2048 -dh dh2048.pem - # Allow to connect to really old OpenVPN versions # without AEAD support (OpenVPN 2.3.x or older) # This adds AES-256-CBC as fallback cipher and @@ -306,4 +301,4 @@ # Notify the client that when the server restarts so it # can automatically reconnect. -explicit-exit-notify 1 \ No newline at end of file +explicit-exit-notify 1 diff --git a/sample/sample-keys/dh2048.pem b/sample/sample-keys/dh2048.pem deleted file mode 100644 index d393581..0000000 --- a/sample/sample-keys/dh2048.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEAgGOVdT2c3GUITi1pF9u+yo72PRBW7I7SnNIsHmXCRYibpyPMGxKM -ROK6rduMllC0CjiXQZhMfqCg+GIca9xxBPKtTnwtKWD3eH5wgs24kw86mODITjJk -6lTNM8it2HY4UuIQoFCqCdt5f5Gwgh2nwU5+dy731md6pmw9x9jUEXoyh67CeZfb -C45x5ttzjpSBvYe5ZIiUypYKumYhdiZhk0RLefEtlUYF9oXrUExDqfYDpSO/1/X3 -oHC0O0EV3Lh1boZTG7+FjcvMYLIKYUDTmxHpII6/OAHhprg7U9ui1i7GyQRv1lze -QV3FGO4UwLntnv352iYy91b0ls2mwD+zTwIBAg== ------END DH PARAMETERS----- diff --git a/sample/sample-plugins/keying-material-exporter-demo/server.ovpn b/sample/sample-plugins/keying-material-exporter-demo/server.ovpn index 5c670b1..1aabcb9 100644 --- a/sample/sample-plugins/keying-material-exporter-demo/server.ovpn +++ b/sample/sample-plugins/keying-material-exporter-demo/server.ovpn @@ -8,7 +8,7 @@ ca ../../sample-keys/ca.crt cert ../../sample-keys/server.crt key ../../sample-keys/server.key -dh ../../sample-keys/dh2048.pem +dh none server 10.8.0.0 255.255.255.0 port 1194