Closed 255h closed 7 months ago
This does not "fix" anything.
Nothing, except private key disclosure...
Are you willing to explain which private key is disclosed, and how is that resolved with this pull request?
Potential disclosure to be precise. Use of same dh makes it vulnerable to offline pre-compute attack. This renders key exchange process unprotected if successful. Using openly available ones across huge amount of devices is calling for a trouble.
Yeah.. i know its all the theory and stuff. But using 512-bit primes was considered perfectly safe too back in days. Anyway openvpn docs do recommend to generate prime numbers yourself for a reason. Some standard even require DH parameters rotation....
So this pull request does not fix a private key disclosure vulnerability or any other real world issue.
Also, merging this pull request would effectively break the installer in low end systems, because generating Diffie-Hellman parameters is very CPU intensive.
Use openssl to create .pem instead of using hard-coded one.