search

OpenVPN / easy-rsa

easy-rsa - Simple shell based CA utility
Other
4.08k stars 1.2k forks source link

easy-rsa-3.0.7: default should be sha512 instead of sha256 #386

Closed mmokrejs closed 4 years ago

mmokrejs commented 4 years ago

It is said that newer amd64-compaitible CPUs have built-in sha512 and therefore it is much faster to use sha512 instead of sha256. Please adjust the variables in vars.example

Quoting from https://superuser.com/questions/1446201/openvpn-certificate-does-not-have-key-usage-extension

SHA256 or SHA512 should always be utilized, and if the server or client uses an x64 CPU, then SHA512 should always be utilized (x64 CPUs process SHA512 faster than SHA256). – JW0914 Nov 21 '19 at 13:27

ecrist commented 4 years ago

No

Eric F Crist

On May 15, 2020, at 4:32 PM, Martin Mokrejš notifications@github.com wrote:

It is said that newer amd64-compaitible CPUs have built-in sha512 and therefore it is much faster to use sha512 instead of sha256. Please adjust the variables in vars.example

Quoting from https://superuser.com/questions/1446201/openvpn-certificate-does-not-have-key-usage-extension https://superuser.com/questions/1446201/openvpn-certificate-does-not-have-key-usage-extension SHA256 or SHA512 should always be utilized, and if the server or client uses an x64 CPU, then SHA512 should always be utilized (x64 CPUs process SHA512 faster than SHA256). – JW0914 Nov 21 '19 at 13:27

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OpenVPN/easy-rsa/issues/386, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANXQP3M5ARZUCKYPCJHEF3RRWYGXANCNFSM4NCSR6XA.

mmokrejs commented 4 years ago 
$ openssl speed
...
Doing sha1 for 3s on 16 size blocks: 9823465 sha1's in 3.01s
Doing sha1 for 3s on 64 size blocks: 6863061 sha1's in 3.00s
Doing sha1 for 3s on 256 size blocks: 3691514 sha1's in 3.01s
Doing sha1 for 3s on 1024 size blocks: 1300752 sha1's in 3.01s
Doing sha1 for 3s on 8192 size blocks: 185550 sha1's in 3.01s
Doing sha256 for 3s on 16 size blocks: 7959374 sha256's in 3.01s
Doing sha256 for 3s on 64 size blocks: 4522349 sha256's in 3.01s
Doing sha256 for 3s on 256 size blocks: 2001993 sha256's in 3.01s
Doing sha256 for 3s on 1024 size blocks: 623721 sha256's in 3.01s
Doing sha256 for 3s on 8192 size blocks: 83963 sha256's in 3.01s
Doing sha512 for 3s on 16 size blocks: 5834050 sha512's in 3.01s
Doing sha512 for 3s on 64 size blocks: 5803601 sha512's in 3.01s
Doing sha512 for 3s on 256 size blocks: 2229738 sha512's in 3.01s
Doing sha512 for 3s on 1024 size blocks: 780203 sha512's in 3.01s
Doing sha512 for 3s on 8192 size blocks: 110925 sha512's in 3.01s
...
Doing aes-128 cbc for 3s on 16 size blocks: 16631586 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 64 size blocks: 4582800 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 256 size blocks: 1178842 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 1024 size blocks: 616729 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 8192 size blocks: 77732 aes-128 cbc's in 3.01s
Doing aes-192 cbc for 3s on 16 size blocks: 14278034 aes-192 cbc's in 3.01s
Doing aes-192 cbc for 3s on 64 size blocks: 3840961 aes-192 cbc's in 3.01s
Doing aes-192 cbc for 3s on 256 size blocks: 983728 aes-192 cbc's in 3.01s
Doing aes-192 cbc for 3s on 1024 size blocks: 520455 aes-192 cbc's in 3.01s
Doing aes-192 cbc for 3s on 8192 size blocks: 65554 aes-192 cbc's in 3.01s
Doing aes-256 cbc for 3s on 16 size blocks: 12411644 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 64 size blocks: 3317040 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 256 size blocks: 844056 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 1024 size blocks: 444248 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 8192 size blocks: 56192 aes-256 cbc's in 3.00s
Doing aes-128 ige for 3s on 16 size blocks: 17038900 aes-128 ige's in 3.01s
Doing aes-128 ige for 3s on 64 size blocks: 4431893 aes-128 ige's in 3.01s
Doing aes-128 ige for 3s on 256 size blocks: 1112575 aes-128 ige's in 3.01s
Doing aes-128 ige for 3s on 1024 size blocks: 281270 aes-128 ige's in 3.01s
Doing aes-128 ige for 3s on 8192 size blocks: 35166 aes-128 ige's in 3.01s
Doing aes-192 ige for 3s on 16 size blocks: 14406093 aes-192 ige's in 3.01s
Doing aes-192 ige for 3s on 64 size blocks: 3718785 aes-192 ige's in 3.01s
Doing aes-192 ige for 3s on 256 size blocks: 943293 aes-192 ige's in 3.01s
Doing aes-192 ige for 3s on 1024 size blocks: 237008 aes-192 ige's in 3.01s
Doing aes-192 ige for 3s on 8192 size blocks: 29640 aes-192 ige's in 3.01s
Doing aes-256 ige for 3s on 16 size blocks: 12445208 aes-256 ige's in 3.01s
Doing aes-256 ige for 3s on 64 size blocks: 3224630 aes-256 ige's in 3.01s
Doing aes-256 ige for 3s on 256 size blocks: 813153 aes-256 ige's in 3.01s
Doing aes-256 ige for 3s on 1024 size blocks: 203966 aes-256 ige's in 3.01s
Doing aes-256 ige for 3s on 8192 size blocks: 25527 aes-256 ige's in 3.01s

$ openssl engine
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support
$ openssl version
OpenSSL 1.1.1g  21 Apr 2020
$
$ cat /proc/cpuinfo 
processor   : 0
vendor_id   : GenuineIntel
cpu family  : 6
model       : 158
model name  : Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz
stepping    : 9
microcode   : 0xca
cpu MHz     : 3637.578
cache size  : 8192 KB
physical id : 0
siblings    : 4
core id     : 0
cpu cores   : 4
apicid      : 0
initial apicid  : 0
fpu     : yes
fpu_exception   : yes
cpuid level : 22
wp      : yes
flags       : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d
bugs        : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit
bogomips    : 5799.77
clflush size    : 64
cache_alignment : 64
address sizes   : 39 bits physical, 48 bits virtual
power management:

...
ecrist commented 4 years ago

$ random shit

Blah

???

Eric Crist

On May 15, 2020, at 5:32 PM, Martin Mokrejš notifications@github.com wrote:

 $ openssl speed ... Doing sha1 for 3s on 16 size blocks: 9823465 sha1's in 3.01s Doing sha1 for 3s on 64 size blocks: 6863061 sha1's in 3.00s Doing sha1 for 3s on 256 size blocks: 3691514 sha1's in 3.01s Doing sha1 for 3s on 1024 size blocks: 1300752 sha1's in 3.01s Doing sha1 for 3s on 8192 size blocks: 185550 sha1's in 3.01s Doing sha256 for 3s on 16 size blocks: 7959374 sha256's in 3.01s Doing sha256 for 3s on 64 size blocks: 4522349 sha256's in 3.01s Doing sha256 for 3s on 256 size blocks: 2001993 sha256's in 3.01s Doing sha256 for 3s on 1024 size blocks: 623721 sha256's in 3.01s Doing sha256 for 3s on 8192 size blocks: 83963 sha256's in 3.01s Doing sha512 for 3s on 16 size blocks: 5834050 sha512's in 3.01s Doing sha512 for 3s on 64 size blocks: 5803601 sha512's in 3.01s Doing sha512 for 3s on 256 size blocks: 2229738 sha512's in 3.01s Doing sha512 for 3s on 1024 size blocks: 780203 sha512's in 3.01s Doing sha512 for 3s on 8192 size blocks: 110925 sha512's in 3.01s ... Doing aes-128 cbc for 3s on 16 size blocks: 16631586 aes-128 cbc's in 3.01s Doing aes-128 cbc for 3s on 64 size blocks: 4582800 aes-128 cbc's in 3.01s Doing aes-128 cbc for 3s on 256 size blocks: 1178842 aes-128 cbc's in 3.01s Doing aes-128 cbc for 3s on 1024 size blocks: 616729 aes-128 cbc's in 3.01s Doing aes-128 cbc for 3s on 8192 size blocks: 77732 aes-128 cbc's in 3.01s Doing aes-192 cbc for 3s on 16 size blocks: 14278034 aes-192 cbc's in 3.01s Doing aes-192 cbc for 3s on 64 size blocks: 3840961 aes-192 cbc's in 3.01s Doing aes-192 cbc for 3s on 256 size blocks: 983728 aes-192 cbc's in 3.01s Doing aes-192 cbc for 3s on 1024 size blocks: 520455 aes-192 cbc's in 3.01s Doing aes-192 cbc for 3s on 8192 size blocks: 65554 aes-192 cbc's in 3.01s Doing aes-256 cbc for 3s on 16 size blocks: 12411644 aes-256 cbc's in 3.01s Doing aes-256 cbc for 3s on 64 size blocks: 3317040 aes-256 cbc's in 3.01s Doing aes-256 cbc for 3s on 256 size blocks: 844056 aes-256 cbc's in 3.01s Doing aes-256 cbc for 3s on 1024 size blocks: 444248 aes-256 cbc's in 3.01s Doing aes-256 cbc for 3s on 8192 size blocks: 56192 aes-256 cbc's in 3.00s Doing aes-128 ige for 3s on 16 size blocks: 17038900 aes-128 ige's in 3.01s Doing aes-128 ige for 3s on 64 size blocks: 4431893 aes-128 ige's in 3.01s Doing aes-128 ige for 3s on 256 size blocks: 1112575 aes-128 ige's in 3.01s Doing aes-128 ige for 3s on 1024 size blocks: 281270 aes-128 ige's in 3.01s Doing aes-128 ige for 3s on 8192 size blocks: 35166 aes-128 ige's in 3.01s Doing aes-192 ige for 3s on 16 size blocks: 14406093 aes-192 ige's in 3.01s Doing aes-192 ige for 3s on 64 size blocks: 3718785 aes-192 ige's in 3.01s Doing aes-192 ige for 3s on 256 size blocks: 943293 aes-192 ige's in 3.01s Doing aes-192 ige for 3s on 1024 size blocks: 237008 aes-192 ige's in 3.01s Doing aes-192 ige for 3s on 8192 size blocks: 29640 aes-192 ige's in 3.01s Doing aes-256 ige for 3s on 16 size blocks: 12445208 aes-256 ige's in 3.01s Doing aes-256 ige for 3s on 64 size blocks: 3224630 aes-256 ige's in 3.01s Doing aes-256 ige for 3s on 256 size blocks: 813153 aes-256 ige's in 3.01s Doing aes-256 ige for 3s on 1024 size blocks: 203966 aes-256 ige's in 3.01s Doing aes-256 ige for 3s on 8192 size blocks: 25527 aes-256 ige's in 3.01s $ cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 158 model name : Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz stepping : 9 microcode : 0xca cpu MHz : 3637.578 cache size : 8192 KB physical id : 0 siblings : 4 core id : 0 cpu cores : 4 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 22 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit bogomips : 5799.77 clflush size : 64 cache_alignment : 64 address sizes : 39 bits physical, 48 bits virtual power management:

... — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

TinCanTech commented 4 years ago

It is said that newer amd64-compaitible CPUs have built-in sha512 and therefore it is much faster to use sha512 instead of sha256. Please adjust the variables in vars.example

The reason there are vars to edit is so that you can edit them.

ecrist commented 4 years ago

There's a number of low-power use cases for EasyRSA still, and changing this default would be potentially disruptive. In truth, as @TinCanTech stated, the whole point of the vars file is so you can make the defaults what you want. Rejecting this issue for now.