From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 28 Apr 2017 12:01:41 +0000 (+0100)
Subject: OpenVPN: Use SHA512 by default
X-Git-Tag: v2.19-core111~37
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7090074557516deaaff9b1a84f4f8beec6c4dadd;p=ipfire-2.x.git

OpenVPN: Use SHA512 by default

This will break compatibility with old clients like
Windows XP, but these are too old now to be supported.

SHA1 is considered to be weak and should not be used any more

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 037894d50b..618dfc1af6 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2631,7 +2631,7 @@ ADV_ERROR:
 		$cgiparams{'PMTU_DISCOVERY'} = 'off';
     }
     if ($cgiparams{'DAUTH'} eq '') {
-		$cgiparams{'DAUTH'} = 'SHA1';
+		$cgiparams{'DAUTH'} = 'SHA512';
     }
     if ($cgiparams{'TLSAUTH'} eq '') {
 		$cgiparams{'TLSAUTH'} = 'off';
@@ -4454,7 +4454,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
         $cgiparams{'MSSFIX'} = 'on';
         $cgiparams{'FRAGMENT'} = '1300';
 	$cgiparams{'PMTU_DISCOVERY'} = 'off';
-	$cgiparams{'DAUTH'} = 'SHA1';
+	$cgiparams{'DAUTH'} = 'SHA512';
 ###
 # m.a.d n2n end
 ###	
@@ -5037,7 +5037,7 @@ END
 		$cgiparams{'MSSFIX'} = 'off';
     }
 	if ($cgiparams{'DAUTH'} eq '') {
-		$cgiparams{'DAUTH'} = 'SHA1';
+		$cgiparams{'DAUTH'} = 'SHA512';
     }
     if ($cgiparams{'DOVPN_SUBNET'} eq '') {
 		$cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';