Fix: Generate DH pem instead of using hardcoded one

Nyr / openvpn-install

OpenVPN road warrior installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora

MIT License

18.66k stars 4.81k forks source link

Fix: Generate DH pem instead of using hardcoded one #1079

Closed 255h closed 7 months ago

255h commented 7 months ago

Use openssl to create .pem instead of using hard-coded one.

Nyr commented 7 months ago

This does not "fix" anything.

255h commented 7 months ago

Nothing, except private key disclosure...

Nyr commented 7 months ago

Are you willing to explain which private key is disclosed, and how is that resolved with this pull request?

255h commented 7 months ago

Potential disclosure to be precise. Use of same dh makes it vulnerable to offline pre-compute attack. This renders key exchange process unprotected if successful. Using openly available ones across huge amount of devices is calling for a trouble.

Yeah.. i know its all the theory and stuff. But using 512-bit primes was considered perfectly safe too back in days. Anyway openvpn docs do recommend to generate prime numbers yourself for a reason. Some standard even require DH parameters rotation....

Nyr commented 7 months ago

So this pull request does not fix a private key disclosure vulnerability or any other real world issue.

Also, merging this pull request would effectively break the installer in low end systems, because generating Diffie-Hellman parameters is very CPU intensive.