free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Bumping default dh key lengths

Bob Mottram 9 years ago
parent
3ddeb7fa94
commit
b994a9c66c
5 changed files with 9 additions and 7 deletions
Unified View Show Diff Stats
  1. 2
    2
      doc/EN/beaglebone.txt
  2. 1
    1
      src/freedombone
  3. 1
    1
      src/freedombone-addcert
  4. 3
    1
      src/freedombone-config
  5. 2
    2
      src/freedombone-sec

+ 2
- 2
doc/EN/beaglebone.txt View File

1650 
   -keyout /etc/ssl/private/$HOSTNAME.key \
 1650 
   -keyout /etc/ssl/private/$HOSTNAME.key \
1651 
   -out /etc/ssl/certs/$HOSTNAME.crt
 1651 
   -out /etc/ssl/certs/$HOSTNAME.crt
1652
1652
1653 
-openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam
1653 
+openssl dhparam -check -text -5 2048 -out /etc/ssl/certs/$HOSTNAME.dhparam
1654
1654
1655 
 chmod 400 /etc/ssl/private/$HOSTNAME.key
 1655 
 chmod 400 /etc/ssl/private/$HOSTNAME.key
1656 
 chmod 640 /etc/ssl/certs/$HOSTNAME.crt
 1656 
 chmod 640 /etc/ssl/certs/$HOSTNAME.crt
7362
7362
7363 
 initialrepair_start() {
 7363 
 initialrepair_start() {
7364 
 echo "Starting $SERVICE..."
 7364 
 echo "Starting $SERVICE..."
7365 
-su --command "screen -h 1024 -dmS ${SERVICE} ${INVOCATION}" root
7365 
+su --command "screen -h 2048 -dmS ${SERVICE} ${INVOCATION}" root
7366 
 }
 7366 
 }
7367
7367
7368
7368

+ 1
- 1
src/freedombone View File

417 
 IPFS_PORT=4001
 417 
 IPFS_PORT=4001
418
418
419 
 # Default diffie-hellman key length in bits
 419 
 # Default diffie-hellman key length in bits
420 
-DH_KEYLENGTH=1024
420 
+DH_KEYLENGTH=2048
421
421
422 
 # repo for atheros AR9271 wifi driver
 422 
 # repo for atheros AR9271 wifi driver
423 
 ATHEROS_WIFI_REPO='https://github.com/qca/open-ath9k-htc-firmware.git'
 423 
 ATHEROS_WIFI_REPO='https://github.com/qca/open-ath9k-htc-firmware.git'

+ 1
- 1
src/freedombone-addcert View File

36 
 UNIT="Freedombone Unit"
 36 
 UNIT="Freedombone Unit"
37 
 EXTENSIONS=""
 37 
 EXTENSIONS=""
38 
 NODH=
 38 
 NODH=
39 
-DH_KEYLENGTH=1024
39 
+DH_KEYLENGTH=2048
40
40
41 
 function show_help {
 41 
 function show_help {
42 
     echo ''
 42 
     echo ''

+ 3
- 1
src/freedombone-config View File

695 
     if [[ $INSTALLING_ON_BBB == "yes" ]]; then
 695 
     if [[ $INSTALLING_ON_BBB == "yes" ]]; then
696 
         USB_DRIVE=/dev/sda1
 696 
         USB_DRIVE=/dev/sda1
697 
         # here a short diffie-hellman key length is used, because otherwise creation of keys
 697 
         # here a short diffie-hellman key length is used, because otherwise creation of keys
698 
-        # becomes impractically long on the beaglebone.
698 
+        # becomes impractically long on the beaglebone. It is known (as of 2015) that
699 
+        # 1024bit DH may be breakable, so this is really a tradeoff between security and the
700 
+        # available hardware
699 
         DH_KEYLENGTH=1024
 701 
         DH_KEYLENGTH=1024
700 
     fi
 702 
     fi
701 
     save_configuration_file
 703 
     save_configuration_file

+ 2
- 2
src/freedombone-sec View File

53 
 REGENERATE_SSH_HOST_KEYS="no"
 53 
 REGENERATE_SSH_HOST_KEYS="no"
54 
 REGENERATE_DH_KEYS="no"
 54 
 REGENERATE_DH_KEYS="no"
55 
 RESET_TRIPWIRE="no"
 55 
 RESET_TRIPWIRE="no"
56 
-DH_KEYLENGTH=1024
56 
+DH_KEYLENGTH=2048
57
57
58 
 function get_protocols_from_website {
 58 
 function get_protocols_from_website {
59 
   if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
 59 
   if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
347 
       dialog --backtitle "Freedombone Security Configuration" \
 347 
       dialog --backtitle "Freedombone Security Configuration" \
348 
              --title "Diffie-Hellman key length" \
 348 
              --title "Diffie-Hellman key length" \
349 
              --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
 349 
              --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
350 
-             1 "1024 bits" off \
350 
+             1 "1024 bits (WARNING: this may be insecure)" off \
351 
              2 "2048 bits" on \
 351 
              2 "2048 bits" on \
352 
              3 "3072 bits" off 2> $data
 352 
              3 "3072 bits" off 2> $data
353 
       sel=$?
 353 
       sel=$?