DH Size vs Key_Size

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
atclaus
OpenVpn Newbie
Posts: 9
Joined: Mon Dec 31, 2018 5:44 pm

DH Size vs Key_Size

Post by atclaus » Sat Jan 05, 2019 7:33 pm

Can anyone point me in the direction of some documentation on the differences between a 4096 bit DH4096.pem and a vars KEY_SIZE=4096 (or explain it here)?

I see some posts on OpenVPN about strengthening the DH to 4096 (done), but noticed that my certificates are still 2048 unless I change KEY_SIZE to 4096 as well in /etc/openvpn/easy-rsa/vars.

Even changing that does not change the TLS key that I generated, which sticks to 2048. Thanks!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: DH Size vs Key_Size

Post by TinCanTech » Sat Jan 05, 2019 10:19 pm

atclaus wrote:
Sat Jan 05, 2019 7:33 pm
Can anyone point me in the direction of some documentation on the differences between a 4096 bit DH4096.pem and a vars KEY_SIZE=4096 (or explain it here)?

I see some posts on OpenVPN about strengthening the DH to 4096 (done), but noticed that my certificates are still 2048 unless I change KEY_SIZE to 4096 as well in /etc/openvpn/easy-rsa/vars.
See vars

Code: Select all

# Choose a size in bits for your keypairs. The recommended value is 2048.  Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
# generation take much longer. Values up to 4096 should be accepted by most
# software. Only used when the crypto alg is rsa (see below.)

#set_var EASYRSA_KEY_SIZE	2048
atclaus wrote:
Sat Jan 05, 2019 7:33 pm
Even changing that does not change the TLS key that I generated, which sticks to 2048
the TLS key is fixed at 2048 because that is all that will ever be used (more than enough in fact)

atclaus
OpenVpn Newbie
Posts: 9
Joined: Mon Dec 31, 2018 5:44 pm

Re: DH Size vs Key_Size

Post by atclaus » Sun Jan 06, 2019 6:11 pm

I saw that. But what is the difference between DH and keypairs in the protocol?

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: DH Size vs Key_Size

Post by Pippin » Mon Jan 07, 2019 1:17 am


Post Reply