From 2d73540316af3986bcb3e162040b5aaef74b1845 Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Wed, 20 Aug 2025 19:54:53 +0200 Subject: [PATCH] Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file Since commit bd9aa06feb41 (Jan 2015) OpenVPN has allowed to use '--dh none' to disable traditional Diffie Hellman, since more secure ECDH algorithms are available that do not use explicit DH parameters. If configured with a suffiently high securelevel (3+), or if running in FIPS mode, OpenSSL 3.5 will refuse 2048 bit DH files, making our tests fail. Thus, remove all the DH2048 stuff from our sample configs. Github: triggered by OpenVPN/openvpn#819 Change-Id: If66438662bd862a195b2a69c4fa45f63838982b7 Signed-off-by: Gert Doering Message-Id: <20250820175459.11227-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32632.html Signed-off-by: Gert Doering --- doc/tests/authentication-plugins.md | 2 +- sample/sample-config-files/loopback-server | 2 +- sample/sample-config-files/server.conf | 7 +------ sample/sample-keys/dh2048.pem | 8 -------- .../keying-material-exporter-demo/server.ovpn | 2 +- 5 files changed, 4 insertions(+), 17 deletions(-) delete mode 100644 sample/sample-keys/dh2048.pem diff --git a/doc/tests/authentication-plugins.md b/doc/tests/authentication-plugins.md index b47c5442e..45fa38100 100644 --- a/doc/tests/authentication-plugins.md +++ b/doc/tests/authentication-plugins.md @@ -36,7 +36,7 @@ To build the needed authentication plug-in, run: verb 4 dev tun server 10.8.0.0 255.255.255.0 - dh sample/sample-keys/dh2048.pem + dh none ca sample/sample-keys/ca.crt cert sample/sample-keys/server.crt key sample/sample-keys/server.key diff --git a/sample/sample-config-files/loopback-server b/sample/sample-config-files/loopback-server index 58daeb569..1980218d9 100644 --- a/sample/sample-config-files/loopback-server +++ b/sample/sample-config-files/loopback-server @@ -17,7 +17,7 @@ dev null verb 3 reneg-sec 10 tls-server -dh sample-keys/dh2048.pem +dh none ca sample-keys/ca.crt key sample-keys/server.key cert sample-keys/server.crt diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index f6d9e65f0..8943c34e9 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -87,11 +87,6 @@ ca ca.crt cert server.crt key server.key # This file should be kept secret -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh2048.pem 2048 -dh dh2048.pem - # Allow to connect to really old OpenVPN versions # without AEAD support (OpenVPN 2.3.x or older) # This adds AES-256-CBC as fallback cipher and @@ -306,4 +301,4 @@ verb 3 # Notify the client that when the server restarts so it # can automatically reconnect. -explicit-exit-notify 1 \ No newline at end of file +explicit-exit-notify 1 diff --git a/sample/sample-keys/dh2048.pem b/sample/sample-keys/dh2048.pem deleted file mode 100644 index d393581bd..000000000 --- a/sample/sample-keys/dh2048.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEAgGOVdT2c3GUITi1pF9u+yo72PRBW7I7SnNIsHmXCRYibpyPMGxKM -ROK6rduMllC0CjiXQZhMfqCg+GIca9xxBPKtTnwtKWD3eH5wgs24kw86mODITjJk -6lTNM8it2HY4UuIQoFCqCdt5f5Gwgh2nwU5+dy731md6pmw9x9jUEXoyh67CeZfb -C45x5ttzjpSBvYe5ZIiUypYKumYhdiZhk0RLefEtlUYF9oXrUExDqfYDpSO/1/X3 -oHC0O0EV3Lh1boZTG7+FjcvMYLIKYUDTmxHpII6/OAHhprg7U9ui1i7GyQRv1lze -QV3FGO4UwLntnv352iYy91b0ls2mwD+zTwIBAg== ------END DH PARAMETERS----- diff --git a/sample/sample-plugins/keying-material-exporter-demo/server.ovpn b/sample/sample-plugins/keying-material-exporter-demo/server.ovpn index 5c670b135..1aabcb90b 100644 --- a/sample/sample-plugins/keying-material-exporter-demo/server.ovpn +++ b/sample/sample-plugins/keying-material-exporter-demo/server.ovpn @@ -8,7 +8,7 @@ plugin ./keyingmaterialexporter.so ca ../../sample-keys/ca.crt cert ../../sample-keys/server.crt key ../../sample-keys/server.key -dh ../../sample-keys/dh2048.pem +dh none server 10.8.0.0 255.255.255.0 port 1194 -- 2.47.3