Parcourir la source

Reduce the calculation time for dhparams

Otherwise it just takes too long on the beaglebone
Bob Mottram il y a 10 ans
Parent
révision
caf1f53dd2
4 fichiers modifiés avec 9 ajouts et 14 suppressions
  1. 1
    1
      doc/EN/beaglebone.txt
  2. 1
    1
      src/freedombone-addcert
  3. 0
    5
      src/freedombone-config
  4. 7
    7
      src/freedombone-sec

+ 1
- 1
doc/EN/beaglebone.txt Voir le fichier

@@ -1650,7 +1650,7 @@ openssl req \
1650 1650
   -keyout /etc/ssl/private/$HOSTNAME.key \
1651 1651
   -out /etc/ssl/certs/$HOSTNAME.crt
1652 1652
 
1653
-openssl dhparam -check -text -5 2048 -out /etc/ssl/certs/$HOSTNAME.dhparam
1653
+openssl dhparam -check -text -dsaparam 2048 -out /etc/ssl/certs/$HOSTNAME.dhparam
1654 1654
 
1655 1655
 chmod 400 /etc/ssl/private/$HOSTNAME.key
1656 1656
 chmod 640 /etc/ssl/certs/$HOSTNAME.crt

+ 1
- 1
src/freedombone-addcert Voir le fichier

@@ -218,7 +218,7 @@ fi
218 218
 # generate DH params
219 219
 if [ ! $NODH ]; then
220 220
 	if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
221
-		openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
221
+		openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
222 222
 		chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
223 223
 	fi
224 224
 fi

+ 0
- 5
src/freedombone-config Voir le fichier

@@ -763,11 +763,6 @@ function interactive_configuration {
763 763
         esac
764 764
         if [[ $INSTALLING_ON_BBB == "yes" ]]; then
765 765
             USB_DRIVE=/dev/sda1
766
-            # here a short diffie-hellman key length is used, because otherwise creation of keys
767
-            # becomes impractically long on the beaglebone. It is known (as of 2015) that
768
-            # 1024bit DH may be breakable, so this is really a tradeoff between security and the
769
-            # available hardware
770
-            DH_KEYLENGTH=1024
771 766
         fi
772 767
         save_configuration_file
773 768
     fi

+ 7
- 7
src/freedombone-sec Voir le fichier

@@ -351,18 +351,18 @@ function regenerate_dh_keys {
351 351
       dialog --backtitle "Freedombone Security Configuration" \
352 352
              --title "Diffie-Hellman key length" \
353 353
              --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
354
-             1 "1024 bits (WARNING: this may be insecure)" off \
355
-             2 "2048 bits" on \
356
-             3 "3072 bits" off 2> $data
354
+             1 "2048 bits" off \
355
+             2 "3072 bits" on \
356
+             3 "4096 bits" off 2> $data
357 357
       sel=$?
358 358
       case $sel in
359 359
           1) exit 1;;
360 360
           255) exit 1;;
361 361
       esac
362 362
       case $(cat $data) in
363
-          1) DH_KEYLENGTH=1024;;
364
-          2) DH_KEYLENGTH=2048;;
365
-          3) DH_KEYLENGTH=3072;;
363
+          1) DH_KEYLENGTH=2048;;
364
+          2) DH_KEYLENGTH=3072;;
365
+          3) DH_KEYLENGTH=4096;;
366 366
       esac
367 367
 
368 368
       ctr=0
@@ -371,7 +371,7 @@ function regenerate_dh_keys {
371 371
           if [[ -f $file ]]; then
372 372
               filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
373 373
               if [ -f $filename ]; then
374
-                  openssl dhparam -check -text -5 $DH_KEYLENGTH -out $filename
374
+                  openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out $filename
375 375
                   ctr=$((ctr + 1))
376 376
               fi
377 377
           fi