Reduce the calculation time for dhparams

Otherwise it just takes too long on the beaglebone
2015-11-30 22:20:22 +00:00 · 2015-11-30 22:20:22 +00:00 · caf1f53dd2
parent 83d4d6a871
commit caf1f53dd2
4 changed files with 9 additions and 14 deletions
--- a/doc/EN/beaglebone.txt
+++ b/doc/EN/beaglebone.txt
@ -1650,7 +1650,7 @@ openssl req \
  -keyout /etc/ssl/private/$HOSTNAME.key \
  -out /etc/ssl/certs/$HOSTNAME.crt

-openssl dhparam -check -text -5 2048 -out /etc/ssl/certs/$HOSTNAME.dhparam
+openssl dhparam -check -text -dsaparam 2048 -out /etc/ssl/certs/$HOSTNAME.dhparam

 chmod 400 /etc/ssl/private/$HOSTNAME.key
 chmod 640 /etc/ssl/certs/$HOSTNAME.crt
--- a/src/freedombone-addcert
+++ b/src/freedombone-addcert
@ -218,7 +218,7 @@ fi
 # generate DH params
 if [ ! $NODH ]; then
 	if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
-		openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
+		openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
 		chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
 	fi
 fi
--- a/src/freedombone-config
+++ b/src/freedombone-config
@ -763,11 +763,6 @@ function interactive_configuration {
        esac
        if [[ $INSTALLING_ON_BBB == "yes" ]]; then
            USB_DRIVE=/dev/sda1
-            # here a short diffie-hellman key length is used, because otherwise creation of keys
-            # becomes impractically long on the beaglebone. It is known (as of 2015) that
-            # 1024bit DH may be breakable, so this is really a tradeoff between security and the
-            # available hardware
-            DH_KEYLENGTH=1024
        fi
        save_configuration_file
    fi
--- a/src/freedombone-sec
+++ b/src/freedombone-sec
@ -351,18 +351,18 @@ function regenerate_dh_keys {
      dialog --backtitle "Freedombone Security Configuration" \
             --title "Diffie-Hellman key length" \
             --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
-             1 "1024 bits (WARNING: this may be insecure)" off \
-             2 "2048 bits" on \
-             3 "3072 bits" off 2> $data
+             1 "2048 bits" off \
+             2 "3072 bits" on \
+             3 "4096 bits" off 2> $data
      sel=$?
      case $sel in
          1) exit 1;;
          255) exit 1;;
      esac
      case $(cat $data) in
-          1) DH_KEYLENGTH=1024;;
-          2) DH_KEYLENGTH=2048;;
-          3) DH_KEYLENGTH=3072;;
+          1) DH_KEYLENGTH=2048;;
+          2) DH_KEYLENGTH=3072;;
+          3) DH_KEYLENGTH=4096;;
      esac

      ctr=0
@ -371,7 +371,7 @@ function regenerate_dh_keys {
          if [[ -f $file ]]; then
              filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
              if [ -f $filename ]; then
-                  openssl dhparam -check -text -5 $DH_KEYLENGTH -out $filename
+                  openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out $filename
                  ctr=$((ctr + 1))
              fi
          fi