Page 1 of 1

DH Size vs Key_Size

Posted: Sat Jan 05, 2019 7:33 pm
by atclaus
Can anyone point me in the direction of some documentation on the differences between a 4096 bit DH4096.pem and a vars KEY_SIZE=4096 (or explain it here)?

I see some posts on OpenVPN about strengthening the DH to 4096 (done), but noticed that my certificates are still 2048 unless I change KEY_SIZE to 4096 as well in /etc/openvpn/easy-rsa/vars.

Even changing that does not change the TLS key that I generated, which sticks to 2048. Thanks!

Re: DH Size vs Key_Size

Posted: Sat Jan 05, 2019 10:19 pm
by TinCanTech
atclaus wrote:
Sat Jan 05, 2019 7:33 pm
Can anyone point me in the direction of some documentation on the differences between a 4096 bit DH4096.pem and a vars KEY_SIZE=4096 (or explain it here)?

I see some posts on OpenVPN about strengthening the DH to 4096 (done), but noticed that my certificates are still 2048 unless I change KEY_SIZE to 4096 as well in /etc/openvpn/easy-rsa/vars.
See vars

Code: Select all

# Choose a size in bits for your keypairs. The recommended value is 2048.  Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
# generation take much longer. Values up to 4096 should be accepted by most
# software. Only used when the crypto alg is rsa (see below.)

#set_var EASYRSA_KEY_SIZE	2048
atclaus wrote:
Sat Jan 05, 2019 7:33 pm
Even changing that does not change the TLS key that I generated, which sticks to 2048
the TLS key is fixed at 2048 because that is all that will ever be used (more than enough in fact)

Re: DH Size vs Key_Size

Posted: Sun Jan 06, 2019 6:11 pm
by atclaus
I saw that. But what is the difference between DH and keypairs in the protocol?

Re: DH Size vs Key_Size

Posted: Mon Jan 07, 2019 1:17 am
by Pippin