From 2ccc799f8bd6a12c3edab5f1a89fab4d2cd05ea8 Mon Sep 17 00:00:00 2001
From: Erik Kapfer <erik.kapfer@ipfire.org>
Date: Thu, 27 Jan 2022 19:43:15 +0100
Subject: [PATCH] Finit_field_DH-parameter: Add ffdhe 4096 bit standard group
 like published in RFC7919

- Deleted Diffie-Hellman generation while PKI creation in ovpnmain.cgi (save imense time).
- Deleted Diffie-Hellman upload and generation section in ovpnmain.cgi
- Set static Diffie-Hellman parameter since custom ones are possibly abusable --> https://datatracker.ietf.org/doc/html/rfc7919.
- Standard Diffie-Hellman group will be added from -->
	https://wiki.openssl.org/index.php/Diffie-Hellman_parameters#RFC_7919_Groups (static const char g_ffdhe4096_sz)
	and integrated into the system while compilation of OpenSSL .
- New Diffie-Hellman location for OpenVPN is /etc/ssl/ffdhe4096.pem .

Update OpenVPN configurations converter Code for install.sh:

if pgrep -a openvpn | grep server.conf >/dev/null; then
     /usr/local/bin/openvpnctrl -k
     sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/server.conf
     /usr/local/bin/openvpnctrl -s
else
     if [ -f /var/ipfire/ovpn/server.conf ]; then
          sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/server.conf
     fi
fi

if pgrep -a openvpn | grep n2nconf >/dev/null; then
     /usr/local/bin/openvpnctrl -kn2n
     sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/n2nconf/*/*.conf
     /usr/local/bin/openvpnctrl -sn2n
else
     if [ -f "/var/ipfire/ovpn/n2nconf/*/*.conf" ]; then
          sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/n2nconf/*/*.conf
     fi
fi

rm -f /var/ipfire/ca/dh1024.pem

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
 config/rootfiles/common/openssl |   1 +
 config/ssl/ffdhe4096.pem        |  13 +++
 html/cgi-bin/ovpnmain.cgi       | 185 ++------------------------------
 langs/de/cgi-bin/de.pl          |  13 ---
 langs/en/cgi-bin/en.pl          |  13 ---
 lfs/openssl                     |   4 +
 6 files changed, 25 insertions(+), 204 deletions(-)
 create mode 100644 config/ssl/ffdhe4096.pem

diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index 345f487d7f..e23b5f77f9 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -2,6 +2,7 @@
 #etc/ssl/certs
 #etc/ssl/ct_log_list.cnf
 #etc/ssl/ct_log_list.cnf.dist
+etc/ssl/ffdhe4096.pem
 #etc/ssl/misc
 #etc/ssl/misc/CA.pl
 #etc/ssl/misc/tsget
diff --git a/config/ssl/ffdhe4096.pem b/config/ssl/ffdhe4096.pem
new file mode 100644
index 0000000000..3cf0fcbc01
--- /dev/null
+++ b/config/ssl/ffdhe4096.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 5985d534c8..4101376b0d 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -75,6 +75,7 @@ my $name;
 my $col="";
 my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
 my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
+my $dhparameter = "/etc/ssl/ffdhe4096.pem";
 
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 $cgiparams{'ENABLED'} = 'off';
@@ -86,8 +87,6 @@ $cgiparams{'COMPRESSION'} = 'off';
 $cgiparams{'ONLY_PROPOSED'} = 'off';
 $cgiparams{'ACTION'} = '';
 $cgiparams{'CA_NAME'} = '';
-$cgiparams{'DH_NAME'} = 'dh1024.pem';
-$cgiparams{'DHLENGHT'} = '';
 $cgiparams{'DHCP_DOMAIN'} = '';
 $cgiparams{'DHCP_DNS'} = '';
 $cgiparams{'DHCP_WINS'} = '';
@@ -218,28 +217,6 @@ sub deletebackupcert
 
 sub pkiconfigcheck
 {
-	# Warning if DH parameter is 1024 bit
-	if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
-		my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}");
-		my $dhbit;
-
-		# Loop through the output and search for the DH bit lenght.
-		foreach my $line (@dhparameter) {
-			if ($line =~ (/(\d+)/)) {
-				# Assign match to dhbit value.
-				$dhbit = $1;
-
-				last;
-			}
-		}
-
-		# Check if the used key lenght is at least 2048 bit.
-		if ($dhbit < 2048) {
-			$cryptoerror = "$Lang::tr{'ovpn error dh'}";
-			goto CRYPTO_ERROR;
-		}
-	}
-
 	# Warning if md5 is in usage
 	if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
 		my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
@@ -287,7 +264,7 @@ sub writeserverconf {
     print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
     print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
     print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
-    print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
+    print CONF "dh $dhparameter\n";
     my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
     print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
     #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
@@ -1348,102 +1325,6 @@ END
     exit (0);
 
 ###
-### Generate DH key step 2
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') {
-    # Delete if old key exists
-    if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
-        unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
-	}
-	# Create Diffie Hellmann Parameter
-	# The system call is safe, because all arguments are passed as an array.
-	system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
-	if ($?) {
-		$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
-		unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
-	}
-
-###
-### Generate DH key step 1
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) {
-	&Header::showhttpheaders();
-	&Header::openpage($Lang::tr{'ovpn'}, 1, '');
-	&Header::openbigbox('100%', 'LEFT', '', '');
-	&Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:");
-	print <<END;
-	<table width='100%'>
-	<tr>
-		<td width='20%'> </td> <td width='15%'></td> <td width='65%'></td>
-	</tr>
-	<tr>
-		<td class='base'>$Lang::tr{'ovpn dh'}:</td>
-		<td align='center'>
-		<form method='post'><input type='hidden' name='AREUSURE' value='yes' />
-		<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
-			<select name='DHLENGHT'>
-				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
-				<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
-				<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
-			</select>
-		</td>
-	</tr>
-	<tr><td colspan='4'><br></td></tr>
-	</table>
-	<table width='100%'>
-	<tr>
-		<b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'dh key warn'}
-	</tr>
-	<tr>
-		<td class='base'>$Lang::tr{'dh key warn1'}</td>
-	</tr>
-	<tr><td colspan='2'><br></td></tr>
-	<tr>
-		<td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
-		</form>
-	</tr>
-	</table>
-
-END
-	;
-	&Header::closebox();
-	print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
-	&Header::closebigbox();
-	&Header::closepage();
-	exit (0);
-
-###
-### Upload DH key
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) {
-    unless (ref ($cgiparams{'FH'})) {
-         $errormessage = $Lang::tr{'there was no file upload'};
-         goto UPLOADCA_ERROR;
-    }
-    # Move uploaded dh key to a temporary file
-    (my $fh, my $filename) = tempfile( );
-    if (copy ($cgiparams{'FH'}, $fh) != 1) {
-        $errormessage = $!;
-	goto UPLOADCA_ERROR;
-    }
-    my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename");
-    if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) {
-        $errormessage = $Lang::tr{'not a valid dh key'};
-        unlink ($filename);
-        goto UPLOADCA_ERROR;
-    } else {
-	# Delete if old key exists
-	if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
-		unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
-	}
-
- 	unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}")) {
-		$errormessage = "$Lang::tr{'dh key move failed'}: $!";
-		unlink ($filename);
-		goto UPLOADCA_ERROR;
-    	}
-    }
-###
 ### Upload CA Certificate
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
@@ -2018,21 +1899,6 @@ END
 	    &cleanssldatabase();
 	    goto ROOTCERT_ERROR;
 	}
-	# Create Diffie Hellmann Parameter
-	# The system call is safe, because all arguments are passed as an array.
-	system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
-	if ($?) {
-	    $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
-	    unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
-	    unlink ("${General::swroot}/ovpn/certs/servercert.pem");
-	    unlink ("${General::swroot}/ovpn/ca/cacert.pem");
-	    unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
-	    unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
-	    &cleanssldatabase();
-	    goto ROOTCERT_ERROR;
-#	} else {
-#	    &cleanssldatabase();
-	}
 	goto ROOTCERT_SUCCESS;
     }
     ROOTCERT_ERROR:
@@ -2082,14 +1948,6 @@ END
 	}
 	print <<END;
 	    </select></td>
-	<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
-		<td class='base'><select name='DHLENGHT'>
-				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
-				<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
-				<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
-			</select>
-		</td>
-	</tr>
 
 	<tr><td>&nbsp;</td>
 	    <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
@@ -2097,16 +1955,6 @@ END
 	<tr><td class='base' colspan='4' align='left'>
 	    <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
 	<tr><td colspan='2'><br></td></tr>
-	<table width='100%'>
-	<tr>
-		<b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'ovpn generating the root and host certificates'}
-		<td class='base'>$Lang::tr{'dh key warn'}</td>
-	</tr>
-	<tr>
-		<td class='base'>$Lang::tr{'dh key warn1'}</td>
-	</tr>
-	<tr><td colspan='2'><br></td></tr>
-	<tr>
 	</table>
 
 	<table width='100%'>
@@ -2622,14 +2470,14 @@ else
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) {
 
-    if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") {
+    if (! -e "$dhparameter") {
 	$errormessage = $Lang::tr{'not present'};
 	} else {
 		&Header::showhttpheaders();
 		&Header::openpage($Lang::tr{'ovpn'}, 1, '');
 		&Header::openbigbox('100%', 'LEFT', '', '');
 		&Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:");
-		my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
+		my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter");
 		my $output = &Header::cleanhtml(join("", @output) ,"y");
 		print "<pre>$output</pre>\n";
 		&Header::closebox();
@@ -5375,7 +5223,7 @@ END
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
 	if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
-	     -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
+	     -e "$dhparameter" &&
 	     -e "${General::swroot}/ovpn/certs/servercert.pem" &&
 	     -e "${General::swroot}/ovpn/certs/serverkey.pem") &&
 	    (( $cgiparams{'ENABLED'} eq 'on') || 
@@ -5751,8 +5599,8 @@ END
     }
 
     # Adding DH parameter to chart
-    if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
-		my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
+    if (-f "$dhparameter") {
+		my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter");
 		my $dhsubject;
 
 		foreach my $line (@dhsubject) {
@@ -5909,25 +5757,6 @@ END
 				<td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td>
 			</tr>
 		</table>
-
-		<br>
-
-		<table border='0' width='100%'>
-			<tr>
-				<td colspan='4'><b>$Lang::tr{'ovpn dh parameters'}</b></td>
-			</tr>
-
-			<tr>
-				<td width='40%'>$Lang::tr{'ovpn dh upload'}:</td>
-				<td width='30%'><input type='file' name='FH' size='25'>
-				<td width='30%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload dh key'}'></td>
-			</tr>
-
-			<tr>
-				<td width='40%'>$Lang::tr{'ovpn dh new key'}:</td>
-				<td colspan='2' width='60%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
-			</tr>
-		</table>
 	</form>
 	
 	<br><hr>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index cf34fd86ee..a21b7337c7 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -759,10 +759,6 @@
 'device' => 'Gerät',
 'devices on blue' => 'Geräte auf BLAU',
 'dh' => 'Diffie-Hellman-Parameter',
-'dh key move failed' => 'Verschieben der Diffie-Hellman-Parameter fehlgeschlagen.',
-'dh key warn' => 'Das Erzeugen eines Diffie-Hellman-Parameters mit 2048 Bit dauert üblicherweise einige Minuten. Parameter von 3072 oder 4096 Bit Länge beanspruchen gegebenenfalls mehrere Stunden. Bitte haben Sie etwas Geduld.',
-'dh key warn1' => 'Bei schwachen Systemen oder Systeme mit wenig Entropie wird empfohlen, lange Diffie-Hellman-Parameter über die Upload-Funktion hochzuladen.',
-'dh parameter' => 'Diffie-Hellman-Parameter',
 'dhcp advopt add' => 'DHCP Option hinzufügen',
 'dhcp advopt added' => 'DHCP Option hinzugefügt',
 'dhcp advopt blank value' => 'Wert für DHCP Option darf nicht leer sein',
@@ -1308,11 +1304,9 @@
 'fwhost wo subnet' => '(Ohne Subnetz)',
 'gateway' => 'Gateway',
 'gateway ip' => 'Gateway-IP',
-'gen dh' => 'Neuen Diffie-Hellman-Parameter erzeugen',
 'gen static key' => 'Statischen Schlüssel erzeugen',
 'generate' => 'Root/Host-Zertifikate generieren',
 'generate a certificate' => 'Erzeuge ein Zertifikat:',
-'generate dh key' => 'Diffie-Hellman Key generieren',
 'generate iso' => 'ISO erstellen',
 'generate ptr' => 'PTR erzeugen',
 'generate root/host certificates' => 'Erzeuge Root/Host-Zertifikate',
@@ -1823,7 +1817,6 @@
 'nonetworkname' => 'Kein Netzwerkname wurde eingegeben',
 'noservicename' => 'Kein Dienstname wurde eingegeben',
 'not a valid ca certificate' => 'Kein gültiges CA Zertifikat.',
-'not a valid dh key' => 'Kein gültiger Diffie-Hellman-Parameter. Es sind nur Parameter mit einer Länge von 2048, 3072 oder 4096 Bit im PKCS#3-Format erlaubt.',
 'not affected' => 'Nicht betroffen',
 'not enough disk space' => 'Nicht genügend Plattenplatz vorhanden',
 'not present' => '<B>Nicht</B> vorhanden',
@@ -1928,15 +1921,10 @@
 'ovpn connection name' => 'Verbindungs-Name',
 'ovpn crypt options' => 'Kryptografieoptionen',
 'ovpn device' => 'OpenVPN-Gerät',
-'ovpn dh' => 'Diffie-Hellman-Parameter-Länge',
-'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen',
-'ovpn dh parameters' => 'Diffie-Hellman-Parameter Optionen',
-'ovpn dh upload' => 'Neuen Diffie-Hellman-Parameter hochladen',
 'ovpn dl' => 'OVPN-Konfiguration downloaden',
 'ovpn engines' => 'Krypto Engine',
 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
-'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>',
 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.',
 'ovpn ha' => 'Hash-Algorithmus',
@@ -2606,7 +2594,6 @@
 'upload a certificate' => 'Ein Zertifikat hochladen:',
 'upload a certificate request' => 'Eine Zertifikatsanfrage hochladen:',
 'upload ca certificate' => 'CA-Zertifikat hochladen',
-'upload dh key' => 'Diffie-Hellman-Parameter hochladen',
 'upload file' => 'Datei zum Hochladen',
 'upload new ruleset' => 'Neuen Regelsatz hochladen',
 'upload p12 file' => 'PKCS12-Datei hochladen',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index b170647139..2e5d8b7dfb 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -792,10 +792,6 @@
 'device' => 'Device',
 'devices on blue' => 'Devices on BLUE',
 'dh' => 'Diffie-Hellman parameters',
-'dh key move failed' => 'Diffie-Hellman parameters move failed.',
-'dh key warn' => 'Creating DH-parameters with a length of 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.',
-'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.',
-'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".',
 'dh parameter' => 'Diffie-Hellman parameters',
 'dhcp advopt add' => 'Add a DHCP option',
 'dhcp advopt added' => 'DHCP option added',
@@ -1352,11 +1348,9 @@
 'g.lite' => 'TO BE REMOVED',
 'gateway' => 'Gateway',
 'gateway ip' => 'Gateway IP',
-'gen dh' => 'Generate new Diffie-Hellman parameters',
 'gen static key' => 'Generate a static key',
 'generate' => 'Generate root/host zertifikate',
 'generate a certificate' => 'Generate a certificate:',
-'generate dh key' => 'Generate Diffie-Hellman parameters',
 'generate iso' => 'Generate ISO',
 'generate ptr' => 'Generate PTR',
 'generate root/host certificates' => 'Generate root/host certificates',
@@ -1872,7 +1866,6 @@
 'nonetworkname' => 'No Network Name entered',
 'noservicename' => 'No Service Name entered',
 'not a valid ca certificate' => 'Not a valid CA certificate.',
-'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.',
 'not affected' => 'Not Affected',
 'not enough disk space' => 'Not enough disk space',
 'not present' => '<b>Not</b> present',
@@ -1980,15 +1973,10 @@
 'ovpn connection name' => 'Connection Name',
 'ovpn crypt options' => 'Cryptographic options',
 'ovpn device' => 'OpenVPN device:',
-'ovpn dh' => 'Diffie-Hellman parameters length',
-'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
-'ovpn dh parameters' => 'Diffie-Hellman parameters options',
-'ovpn dh upload' => 'Upload new Diffie-Hellman parameters',
 'ovpn dl' => 'OVPN-Config Download',
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for green network is always set',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
-'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>',
 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',
 'ovpn ha' => 'Hash algorithm',
@@ -2668,7 +2656,6 @@
 'upload a certificate' => 'Upload a certificate:',
 'upload a certificate request' => 'Upload a certificate request:',
 'upload ca certificate' => 'Upload CA certificate',
-'upload dh key' => 'Upload Diffie-Hellman parameters',
 'upload fcdsl.o' => 'TO BE REMOVED',
 'upload file' => 'Upload file',
 'upload new ruleset' => 'Upload new ruleset',
diff --git a/lfs/openssl b/lfs/openssl
index 6af9042529..20cbc35c80 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -123,5 +123,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && make install
 	install -m 0644 $(DIR_SRC)/config/ssl/openssl.cnf /etc/ssl
 
+	# Install RFC7919 defined standard group ffdhe4096
+	install -m 0644 $(DIR_SRC)/config/ssl/ffdhe4096.pem /etc/ssl
+	chown nobody:nobody /etc/ssl/ffdhe4096.pem
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
-- 
2.47.2