Page 1 of 1
DH Size vs Key_Size
Posted: Sat Jan 05, 2019 7:33 pm
by atclaus
Can anyone point me in the direction of some documentation on the differences between a 4096 bit DH4096.pem and a vars KEY_SIZE=4096 (or explain it here)?
I see some posts on OpenVPN about strengthening the DH to 4096 (done), but noticed that my certificates are still 2048 unless I change KEY_SIZE to 4096 as well in /etc/openvpn/easy-rsa/vars.
Even changing that does not change the TLS key that I generated, which sticks to 2048. Thanks!
Re: DH Size vs Key_Size
Posted: Sat Jan 05, 2019 10:19 pm
by TinCanTech
atclaus wrote: ↑Sat Jan 05, 2019 7:33 pm
Can anyone point me in the direction of some documentation on the differences between a 4096 bit DH4096.pem and a vars KEY_SIZE=4096 (or explain it here)?
I see some posts on OpenVPN about strengthening the DH to 4096 (done), but noticed that my certificates are still 2048 unless I change KEY_SIZE to 4096 as well in /etc/openvpn/easy-rsa/vars.
See vars
Code: Select all
# Choose a size in bits for your keypairs. The recommended value is 2048. Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
# generation take much longer. Values up to 4096 should be accepted by most
# software. Only used when the crypto alg is rsa (see below.)
#set_var EASYRSA_KEY_SIZE 2048
atclaus wrote: ↑Sat Jan 05, 2019 7:33 pm
Even changing that does not change the TLS key that I generated, which sticks to 2048
the TLS key is fixed at 2048 because that is all that will ever be used (more than enough in fact)
Re: DH Size vs Key_Size
Posted: Sun Jan 06, 2019 6:11 pm
by atclaus
I saw that. But what is the difference between DH and keypairs in the protocol?
Re: DH Size vs Key_Size
Posted: Mon Jan 07, 2019 1:17 am
by Pippin