Can anyone point me in the direction of some documentation on the differences between a 4096 bit DH4096.pem and a vars KEY_SIZE=4096 (or explain it here)?
I see some posts on OpenVPN about strengthening the DH to 4096 (done), but noticed that my certificates are still 2048 unless I change KEY_SIZE to 4096 as well in /etc/openvpn/easy-rsa/vars.
Even changing that does not change the TLS key that I generated, which sticks to 2048. Thanks!
DH Size vs Key_Size
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: DH Size vs Key_Size
See varsatclaus wrote: ↑Sat Jan 05, 2019 7:33 pmCan anyone point me in the direction of some documentation on the differences between a 4096 bit DH4096.pem and a vars KEY_SIZE=4096 (or explain it here)?
I see some posts on OpenVPN about strengthening the DH to 4096 (done), but noticed that my certificates are still 2048 unless I change KEY_SIZE to 4096 as well in /etc/openvpn/easy-rsa/vars.
Code: Select all
# Choose a size in bits for your keypairs. The recommended value is 2048. Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
# generation take much longer. Values up to 4096 should be accepted by most
# software. Only used when the crypto alg is rsa (see below.)
#set_var EASYRSA_KEY_SIZE 2048
the TLS key is fixed at 2048 because that is all that will ever be used (more than enough in fact)
-
- OpenVpn Newbie
- Posts: 9
- Joined: Mon Dec 31, 2018 5:44 pm
Re: DH Size vs Key_Size
I saw that. But what is the difference between DH and keypairs in the protocol?
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn