OpenVPN: Replace existing Diffie-Hellman parameter with ffdhe4096

Initial patch: https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=2ccc799f8bd6a12c3edab5f1a89fab4d2cd05ea8 Minor adjustments to make it apply to the current state of "next", and removal of chown operation in OpenSSL's LFS file, which would have lead to the Diffie-Hellman group file being writable by nobody, for which there is no necessity. Fixes: #12632 From: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2026-04-09 10:35:53 +02:00 · 2022-11-11 12:14:37 +00:00
parent c899c04b11
commit 35494eac83
8 changed files with 11 additions and 260 deletions
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -2,6 +2,7 @@
 #etc/ssl/certs
 #etc/ssl/ct_log_list.cnf
 #etc/ssl/ct_log_list.cnf.dist
+etc/ssl/ffdhe4096.pem
 #etc/ssl/misc
 #etc/ssl/misc/CA.pl
 #etc/ssl/misc/tsget
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -78,6 +78,7 @@ my $name;
 my $col="";
 my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
 my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
+my $dhparameter = "/etc/ssl/ffdhe4096.pem";

 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 $cgiparams{'ENABLED'} = 'off';
@@ -89,8 +90,6 @@ $cgiparams{'COMPRESSION'} = 'off';
 $cgiparams{'ONLY_PROPOSED'} = 'off';
 $cgiparams{'ACTION'} = '';
 $cgiparams{'CA_NAME'} = '';
-$cgiparams{'DH_NAME'} = 'dh1024.pem';
-$cgiparams{'DHLENGHT'} = '';
 $cgiparams{'DHCP_DOMAIN'} = '';
 $cgiparams{'DHCP_DNS'} = '';
 $cgiparams{'DHCP_WINS'} = '';
@@ -221,28 +220,6 @@ sub deletebackupcert

 sub pkiconfigcheck
 {
-	# Warning if DH parameter is 1024 bit
-	if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
-		my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}");
-		my $dhbit;
-
-		# Loop through the output and search for the DH bit lenght.
-		foreach my $line (@dhparameter) {
-			if ($line =~ (/(\d+)/)) {
-				# Assign match to dhbit value.
-				$dhbit = $1;
-
-				last;
-			}
-		}
-
-		# Check if the used key lenght is at least 2048 bit.
-		if ($dhbit < 2048) {
-			$cryptoerror = "$Lang::tr{'ovpn error dh'}";
-			goto CRYPTO_ERROR;
-		}
-	}
-
 	# Warning if md5 is in usage
 	if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
 		my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
@@ -290,7 +267,7 @@ sub writeserverconf {
    print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
    print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
    print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
-    print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
+    print CONF "dh $dhparameter\n";
    my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
    print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
    #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
@@ -1358,102 +1335,6 @@ END
    exit (0);

 ###
-### Generate DH key step 2
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') {
-    # Delete if old key exists
-    if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
-        unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
-	}
-	# Create Diffie Hellmann Parameter
-	# The system call is safe, because all arguments are passed as an array.
-	system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
-	if ($?) {
-		$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
-		unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
-	}
-
-###
-### Generate DH key step 1
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) {
-	&Header::showhttpheaders();
-	&Header::openpage($Lang::tr{'ovpn'}, 1, '');
-	&Header::openbigbox('100%', 'LEFT', '', '');
-	&Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:");
-	print <<END;
-	<table width='100%'>
-	<tr>
-		<td width='20%'> </td> <td width='15%'></td> <td width='65%'></td>
-	</tr>
-	<tr>
-		<td class='base'>$Lang::tr{'ovpn dh'}:</td>
-		<td align='center'>
-		<form method='post'><input type='hidden' name='AREUSURE' value='yes' />
-		<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
-			<select name='DHLENGHT'>
-				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
-				<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
-				<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
-			</select>
-		</td>
-	</tr>
-	<tr><td colspan='4'><br></td></tr>
-	</table>
-	<table width='100%'>
-	<tr>
-		<b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'dh key warn'}
-	</tr>
-	<tr>
-		<td class='base'>$Lang::tr{'dh key warn1'}</td>
-	</tr>
-	<tr><td colspan='2'><br></td></tr>
-	<tr>
-		<td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
-		</form>
-	</tr>
-	</table>
-
-END
-	;
-	&Header::closebox();
-	print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
-	&Header::closebigbox();
-	&Header::closepage();
-	exit (0);
-
-###
-### Upload DH key
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) {
-    unless (ref ($cgiparams{'FH'})) {
-         $errormessage = $Lang::tr{'there was no file upload'};
-         goto UPLOADCA_ERROR;
-    }
-    # Move uploaded dh key to a temporary file
-    (my $fh, my $filename) = tempfile( );
-    if (copy ($cgiparams{'FH'}, $fh) != 1) {
-        $errormessage = $!;
-	goto UPLOADCA_ERROR;
-    }
-    my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename");
-    if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) {
-        $errormessage = $Lang::tr{'not a valid dh key'};
-        unlink ($filename);
-        goto UPLOADCA_ERROR;
-    } else {
-	# Delete if old key exists
-	if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
-		unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
-	}
-
- 	unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}")) {
-		$errormessage = "$Lang::tr{'dh key move failed'}: $!";
-		unlink ($filename);
-		goto UPLOADCA_ERROR;
-    	}
-    }
-###
 ### Upload CA Certificate
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
@@ -2028,21 +1909,6 @@ END
 	    &cleanssldatabase();
 	    goto ROOTCERT_ERROR;
 	}
-	# Create Diffie Hellmann Parameter
-	# The system call is safe, because all arguments are passed as an array.
-	system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
-	if ($?) {
-	    $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
-	    unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
-	    unlink ("${General::swroot}/ovpn/certs/servercert.pem");
-	    unlink ("${General::swroot}/ovpn/ca/cacert.pem");
-	    unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
-	    unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
-	    &cleanssldatabase();
-	    goto ROOTCERT_ERROR;
-#	} else {
-#	    &cleanssldatabase();
-	}
 	goto ROOTCERT_SUCCESS;
    }
    ROOTCERT_ERROR:
@@ -2092,14 +1958,6 @@ END
 	}
 	print <<END;
 	    </select></td>
-	<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
-		<td class='base'><select name='DHLENGHT'>
-				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
-				<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
-				<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
-			</select>
-		</td>
-	</tr>

 	<tr><td>&nbsp;</td>
 	    <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
@@ -2107,16 +1965,6 @@ END
 	<tr><td class='base' colspan='4' align='left'>
 	    <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
 	<tr><td colspan='2'><br></td></tr>
-	<table width='100%'>
-	<tr>
-		<b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'ovpn generating the root and host certificates'}
-		<td class='base'>$Lang::tr{'dh key warn'}</td>
-	</tr>
-	<tr>
-		<td class='base'>$Lang::tr{'dh key warn1'}</td>
-	</tr>
-	<tr><td colspan='2'><br></td></tr>
-	<tr>
 	</table>

 	<table width='100%'>
@@ -2681,14 +2529,14 @@ END
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) {

-    if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") {
+    if (! -e "$dhparameter") {
 	$errormessage = $Lang::tr{'not present'};
 	} else {
 		&Header::showhttpheaders();
 		&Header::openpage($Lang::tr{'ovpn'}, 1, '');
 		&Header::openbigbox('100%', 'LEFT', '', '');
 		&Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:");
-		my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
+		my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter");
 		my $output = &Header::cleanhtml(join("", @output) ,"y");
 		print "<pre>$output</pre>\n";
 		&Header::closebox();
@@ -5447,7 +5295,7 @@ END
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
 	if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
-	     -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
+	     -e "$dhparameter" &&
 	     -e "${General::swroot}/ovpn/certs/servercert.pem" &&
 	     -e "${General::swroot}/ovpn/certs/serverkey.pem") &&
 	    (( $cgiparams{'ENABLED'} eq 'on') ||
@@ -5838,8 +5686,8 @@ END
    }

    # Adding DH parameter to chart
-    if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
-		my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
+    if (-f "$dhparameter") {
+		my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter");
 		my $dhsubject;

 		foreach my $line (@dhsubject) {
@@ -5996,25 +5844,6 @@ END
 				<td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td>
 			</tr>
 		</table>
-
-		<br>
-
-		<table border='0' width='100%'>
-			<tr>
-				<td colspan='4'><b>$Lang::tr{'ovpn dh parameters'}</b></td>
-			</tr>
-
-			<tr>
-				<td width='40%'>$Lang::tr{'ovpn dh upload'}:</td>
-				<td width='30%'><input type='file' name='FH' size='25'>
-				<td width='30%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload dh key'}'></td>
-			</tr>
-
-			<tr>
-				<td width='40%'>$Lang::tr{'ovpn dh new key'}:</td>
-				<td colspan='2' width='60%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
-			</tr>
-		</table>
 	</form>

 	<br><hr>
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -760,11 +760,6 @@
 'details' => 'Mehr',
 'device' => 'Gerät',
 'devices on blue' => 'Geräte auf BLAU',
-'dh' => 'Diffie-Hellman-Parameter',
-'dh key move failed' => 'Verschieben der Diffie-Hellman-Parameter fehlgeschlagen.',
-'dh key warn' => 'Das Erzeugen eines Diffie-Hellman-Parameters mit 2048 Bit dauert üblicherweise einige Minuten. Parameter von 3072 oder 4096 Bit Länge beanspruchen gegebenenfalls mehrere Stunden. Bitte haben Sie etwas Geduld.',
-'dh key warn1' => 'Bei schwachen Systemen oder Systeme mit wenig Entropie wird empfohlen, lange Diffie-Hellman-Parameter über die Upload-Funktion hochzuladen.',
-'dh parameter' => 'Diffie-Hellman-Parameter',
 'dhcp advopt add' => 'DHCP Option hinzufügen',
 'dhcp advopt added' => 'DHCP Option hinzugefügt',
 'dhcp advopt blank value' => 'Wert für DHCP Option darf nicht leer sein',
@@ -898,7 +893,6 @@
 'download' => 'herunterladen',
 'download ca certificate' => 'CA-Zertifikat herunterladen',
 'download certificate' => 'Datei herunterladen',
-'download dh parameter' => 'Diffie-Hellman-Parameter herunterladen',
 'download host certificate' => 'Host-Zertifikat herunterladen',
 'download new ruleset' => 'Neuen Regelsatz herunterladen',
 'download pkcs12 file' => 'PKCS12-Datei herunterladen',
@@ -1313,11 +1307,9 @@
 'fwhost wo subnet' => '(Ohne Subnetz)',
 'gateway' => 'Gateway',
 'gateway ip' => 'Gateway-IP',
-'gen dh' => 'Neuen Diffie-Hellman-Parameter erzeugen',
 'gen static key' => 'Statischen Schlüssel erzeugen',
 'generate' => 'Root/Host-Zertifikate generieren',
 'generate a certificate' => 'Erzeuge ein Zertifikat:',
-'generate dh key' => 'Diffie-Hellman Key generieren',
 'generate iso' => 'ISO erstellen',
 'generate ptr' => 'PTR erzeugen',
 'generate root/host certificates' => 'Erzeuge Root/Host-Zertifikate',
@@ -1860,7 +1852,6 @@
 'nonetworkname' => 'Kein Netzwerkname wurde eingegeben',
 'noservicename' => 'Kein Dienstname wurde eingegeben',
 'not a valid ca certificate' => 'Kein gültiges CA Zertifikat.',
-'not a valid dh key' => 'Kein gültiger Diffie-Hellman-Parameter. Es sind nur Parameter mit einer Länge von 2048, 3072 oder 4096 Bit im PKCS#3-Format erlaubt.',
 'not affected' => 'Nicht betroffen',
 'not enough disk space' => 'Nicht genügend Plattenplatz vorhanden',
 'not present' => '<B>Nicht</B> vorhanden',
@@ -1961,15 +1952,10 @@
 'ovpn connection name' => 'Verbindungs-Name',
 'ovpn crypt options' => 'Kryptografieoptionen',
 'ovpn device' => 'OpenVPN-Gerät',
-'ovpn dh' => 'Diffie-Hellman-Parameter-Länge',
-'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen',
-'ovpn dh parameters' => 'Diffie-Hellman-Parameter Optionen',
-'ovpn dh upload' => 'Neuen Diffie-Hellman-Parameter hochladen',
 'ovpn dl' => 'OVPN-Konfiguration downloaden',
 'ovpn engines' => 'Krypto Engine',
 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
-'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>',
 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.',
 'ovpn ha' => 'Hash-Algorithmus',
@@ -2270,7 +2256,6 @@
 'show ca certificate' => 'CA Zertifikat anzeigen',
 'show certificate' => 'Datei anzeigen',
 'show crl' => 'Certificate Revocation List anzeigen',
-'show dh' => 'Diffie-Hellman-Parameter anzeigen',
 'show host certificate' => 'Host-Zertifikat anzeigen',
 'show last x lines' => 'die letzten x Zeilen anzeigen',
 'show otp qrcode' => 'Zeige OTP QRCode',
@@ -2645,7 +2630,6 @@
 'upload a certificate' => 'Ein Zertifikat hochladen:',
 'upload a certificate request' => 'Eine Zertifikatsanfrage hochladen:',
 'upload ca certificate' => 'CA-Zertifikat hochladen',
-'upload dh key' => 'Diffie-Hellman-Parameter hochladen',
 'upload file' => 'Datei zum Hochladen',
 'upload new ruleset' => 'Neuen Regelsatz hochladen',
 'upload p12 file' => 'PKCS12-Datei hochladen',
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -794,12 +794,6 @@
 'details' => 'Details',
 'device' => 'Device',
 'devices on blue' => 'Devices on BLUE',
-'dh' => 'Diffie-Hellman parameters',
-'dh key move failed' => 'Diffie-Hellman parameters move failed.',
-'dh key warn' => 'Creating DH-parameters with a length of 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.',
-'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.',
-'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".',
-'dh parameter' => 'Diffie-Hellman parameters',
 'dhcp advopt add' => 'Add a DHCP option',
 'dhcp advopt added' => 'DHCP option added',
 'dhcp advopt blank value' => 'DHCP Option value cannot be empty.',
@@ -939,7 +933,6 @@
 'download apple profile' => 'Download Apple Configuration Profile',
 'download ca certificate' => 'Download CA certificate',
 'download certificate' => 'Download file',
-'download dh parameter' => 'Download Diffie-Hellman parameters',
 'download host certificate' => 'Download host certificate',
 'download new ruleset' => 'Download new ruleset',
 'download pkcs12 file' => 'Download PKCS12 file',
@@ -1358,11 +1351,9 @@
 'g.lite' => 'TO BE REMOVED',
 'gateway' => 'Gateway',
 'gateway ip' => 'Gateway IP',
-'gen dh' => 'Generate new Diffie-Hellman parameters',
 'gen static key' => 'Generate a static key',
 'generate' => 'Generate root/host zertifikate',
 'generate a certificate' => 'Generate a certificate:',
-'generate dh key' => 'Generate Diffie-Hellman parameters',
 'generate iso' => 'Generate ISO',
 'generate ptr' => 'Generate PTR',
 'generate root/host certificates' => 'Generate root/host certificates',
@@ -1911,7 +1902,6 @@
 'nonetworkname' => 'No Network Name entered',
 'noservicename' => 'No Service Name entered',
 'not a valid ca certificate' => 'Not a valid CA certificate.',
-'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.',
 'not affected' => 'Not Affected',
 'not enough disk space' => 'Not enough disk space',
 'not present' => '<b>Not</b> present',
@@ -2015,15 +2005,10 @@
 'ovpn connection name' => 'Connection Name',
 'ovpn crypt options' => 'Cryptographic options',
 'ovpn device' => 'OpenVPN device:',
-'ovpn dh' => 'Diffie-Hellman parameters length',
-'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
-'ovpn dh parameters' => 'Diffie-Hellman parameters options',
-'ovpn dh upload' => 'Upload new Diffie-Hellman parameters',
 'ovpn dl' => 'OVPN-Config Download',
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for green network is always set',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
-'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>',
 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',
 'ovpn ha' => 'Hash algorithm',
@@ -2327,7 +2312,6 @@
 'show ca certificate' => 'Show CA certificate',
 'show certificate' => 'Show file',
 'show crl' => 'Show certificate revocation list',
-'show dh' => 'Show Diffie-Hellman parameters',
 'show host certificate' => 'Show host certificate',
 'show last x lines' => 'Show last x lines',
 'show lines' => 'Show lines',
@@ -2710,7 +2694,6 @@
 'upload a certificate' => 'Upload a certificate:',
 'upload a certificate request' => 'Upload a certificate request:',
 'upload ca certificate' => 'Upload CA certificate',
-'upload dh key' => 'Upload Diffie-Hellman parameters',
 'upload fcdsl.o' => 'TO BE REMOVED',
 'upload file' => 'Upload file',
 'upload new ruleset' => 'Upload new ruleset',
--- a/langs/fr/cgi-bin/fr.pl
+++ b/langs/fr/cgi-bin/fr.pl
@@ -799,12 +799,6 @@
 'details' => 'Détails',
 'device' => 'Périphérique',
 'devices on blue' => 'Périphériques sur BLEU',
-'dh' => 'Paramètres Diffie-Hellman',
-'dh key move failed' => 'Le déplacement des paramètres Diffie-Hellman a échoué.',
-'dh key warn' => 'La création de paramètres DH avec des longueurs de 1024 ou 2048 bits prend plusieurs minutes. Des longueurs de 3072 ou 4096 bits peuvent nécessiter plusieurs heures. Soyez patient.',
-'dh key warn1' => 'Pour des systèmes faibles ou avec peu d\'entropie, il est recommandé de télécharger les paramètres Diffie-Hellman longs en utilisant la fonction de téléchargement.',
-'dh name is invalid' => 'Le nom est invalide, veuillez utiliser "dh1024.pem".',
-'dh parameter' => 'Paramètres Diffie-Hellman',
 'dhcp advopt add' => 'Ajouter une option DHCP',
 'dhcp advopt added' => 'Option DHCP ajoutée',
 'dhcp advopt blank value' => 'La valeur de l\'option DHCP ne peut pas être vide.',
@@ -944,7 +938,6 @@
 'download apple profile' => 'Télécharger le profil de configuration Apple',
 'download ca certificate' => 'Télécharger le certificat CA',
 'download certificate' => 'Télécharger le certificat',
-'download dh parameter' => 'Télécharger paramètres Diffie-Hellman',
 'download host certificate' => 'Télécharger le certificat de l\'hôte',
 'download new ruleset' => 'Télécharger de nouvelles règles',
 'download pkcs12 file' => 'Télécharger le fichier PKCS12',
@@ -1360,11 +1353,9 @@
 'fwhost wo subnet' => '(sans sous-réseau)',
 'gateway' => 'Passerelle ',
 'gateway ip' => 'IP passerelle',
-'gen dh' => 'Générer nouveaux paramètres Diffie-Hellman ',
 'gen static key' => 'Générer une clef statique',
 'generate' => 'Générer un certificat racine / hôte',
 'generate a certificate' => 'Générer un certificat :',
-'generate dh key' => 'Générer paramètres Diffie-Hellman',
 'generate iso' => 'Générer ISO',
 'generate ptr' => 'Générer PTR ',
 'generate root/host certificates' => 'Générer des certificats root / hôte',
@@ -1917,7 +1908,6 @@
 'nonetworkname' => 'Aucun nom de réseau saisi',
 'noservicename' => 'Aucun nom de service saisi',
 'not a valid ca certificate' => 'Le certificat CA n\'est pas valide.',
-'not a valid dh key' => 'Ce n\'est pas un fichier de paramètres Diffie-Hellman valide. Veuillez choisir une longueur de 1024, 2048, 3072 ou 4096 bits et le format PKCS#3.',
 'not affected' => 'Non affecté',
 'not enough disk space' => 'Pas assez d\'espace sur le disque',
 'not present' => '<b>Absent</b>',
@@ -2021,15 +2011,10 @@
 'ovpn connection name' => 'Nom de la connexion ',
 'ovpn crypt options' => 'Options cryptographiques',
 'ovpn device' => 'Périphérique OpenVPN :',
-'ovpn dh' => 'Longueur de paramètres Diffie-Hellman ',
-'ovpn dh new key' => 'Générer de nouveaux paramètres Diffie-Hellman ',
-'ovpn dh parameters' => 'Options de paramètres Diffie-Hellman',
-'ovpn dh upload' => 'Mettre à jour nouveaux paramètres Diffie-Hellman ',
 'ovpn dl' => 'Télécharger Config OVPN',
 'ovpn engines' => 'Moteur Crypto',
 'ovpn errmsg green already pushed' => 'La route pour le réseau VERT est toujours activée',
 'ovpn errmsg invalid ip or mask' => 'Adresse ou masque de sous-réseau invalide',
-'ovpn error dh' => 'Le paramètre Diffie-Hellman doit être au minimum à 2048 bits ! <br>Veuillez générer ou télécharger un nouveau paramètre Diffie-Hellman, cela peut être fait ci-dessous dans la section "Options de paramètres Diffie-Hellman".</br>',
 'ovpn error md5' => 'Votre certificat hôte utilise MD5 pour la signature qui n\'est plus acceptée. <br>Veuillez mettre à jour la dernière version d\'IPFire et générez un nouveau certificat racine et hôte..</br><br>Tous les clients OpenVPN doivent ensuite être renouvelés!</br>',
 'ovpn generating the root and host certificates' => 'La génération du certificat racine et hôte peut prendre du temps.',
 'ovpn ha' => 'Algorithme de hashage',
@@ -2335,7 +2320,6 @@
 'show ca certificate' => 'Afficher le certificat CA',
 'show certificate' => 'Afficher le certificat',
 'show crl' => 'Montrer la liste de révocation des certificats',
-'show dh' => 'Afficher les paramètres Diffie-Hellman',
 'show host certificate' => 'Afficher le certificat hôte',
 'show last x lines' => 'Montrer les dernières x lignes',
 'show lines' => 'Montrer les lignes',
@@ -2718,7 +2702,6 @@
 'upload a certificate' => 'Envoyer un certificat :',
 'upload a certificate request' => 'Envoyer une demande de certificat :',
 'upload ca certificate' => 'Envoyer un certificat CA',
-'upload dh key' => 'Télécharger paramètres Diffie-Hellman',
 'upload file' => 'Envoyer un fichier',
 'upload new ruleset' => 'Télécharger un nouveau réglement',
 'upload p12 file' => 'Envoyer fichier PKCS12',
--- a/langs/it/cgi-bin/it.pl
+++ b/langs/it/cgi-bin/it.pl
@@ -681,12 +681,6 @@
 'details' => 'Dettagli',
 'device' => 'Device',
 'devices on blue' => 'Devices on Blu',
-'dh' => 'Diffie-Hellman parameters',
-'dh key move failed' => 'Diffie-Hellman parameters move failed.',
-'dh key warn' => 'Creating DH-parameters with lengths of 1024 or 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.',
-'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.',
-'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".',
-'dh parameter' => 'Diffie-Hellman parameters',
 'dhcp advopt add' => 'Aggiungere un opzione DHCP',
 'dhcp advopt added' => 'Opzione DHCP aggiunto',
 'dhcp advopt blank value' => 'DHCP opzione non può essere vuoto.',
@@ -796,7 +790,6 @@
 'download' => 'download',
 'download ca certificate' => 'Download CA certificate',
 'download certificate' => 'Download certificate',
-'download dh parameter' => 'Download Diffie-Hellman parameters',
 'download host certificate' => 'Download host certificate',
 'download new ruleset' => 'Scarica il nuovo set di regole',
 'download pkcs12 file' => 'Download PKCS12 file',
@@ -1158,11 +1151,9 @@
 'g.lite' => 'TO BE REMOVED',
 'gateway' => 'Gateway',
 'gateway ip' => 'Gateway IP',
-'gen dh' => 'Generate new Diffie-Hellman parameters',
 'gen static key' => 'Generate a static key',
 'generate' => 'Generate root/host zertifikate',
 'generate a certificate' => 'Generate a certificate:',
-'generate dh key' => 'Generate Diffie-Hellman parameters',
 'generate iso' => 'Genera file ISO',
 'generate root/host certificates' => 'Generate root/host certificates',
 'generate tripwire keys and init' => 'generate tripwire keys and init',
@@ -1594,7 +1585,6 @@
 'nonetworkname' => 'No Network Name entered',
 'noservicename' => 'No Service Name entered',
 'not a valid ca certificate' => 'Not a valid CA certificate.',
-'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 1024, 2048, 3072 or 4096 bits and the PKCS#3 format.',
 'not enough disk space' => 'Spazio su disco insufficiente',
 'not present' => '<b>Non</b> presente',
 'not running' => 'not running',
@@ -1684,10 +1674,6 @@
 'ovpn config' => 'OVPN-Config',
 'ovpn crypt options' => 'Cryptographic options',
 'ovpn device' => 'OpenVPN device:',
-'ovpn dh' => 'Diffie-Hellman parameters length',
-'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
-'ovpn dh parameters' => 'Diffie-Hellman parameters options',
-'ovpn dh upload' => 'Upload new Diffie-Hellman parameters',
 'ovpn dl' => 'OVPN-Config Download',
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for Verde network is always set',
@@ -1958,7 +1944,6 @@
 'show ca certificate' => 'Show CA certificate',
 'show certificate' => 'Show file',
 'show crl' => 'Show certificate revocation list',
-'show dh' => 'Show Diffie-Hellman parameters',
 'show host certificate' => 'Show host certificate',
 'show last x lines' => 'Show last x lines',
 'show lines' => 'Show lines',
@@ -2298,7 +2283,6 @@
 'upload a certificate' => 'Upload a certificate:',
 'upload a certificate request' => 'Upload a certificate request:',
 'upload ca certificate' => 'Upload CA certificate',
-'upload dh key' => 'Upload Diffie-Hellman parameters',
 'upload fcdsl.o' => 'TO BE REMOVED',
 'upload file' => 'Upload file',
 'upload new ruleset' => 'Upload new ruleset',
--- a/langs/tr/cgi-bin/tr.pl
+++ b/langs/tr/cgi-bin/tr.pl
@@ -746,12 +746,6 @@
 'details' => 'Detaylar',
 'device' => 'Aygıt',
 'devices on blue' => 'Mavi üzerindeki aygıtlar',
-'dh' => 'Diffie-Hellman parametreleri',
-'dh key move failed' => 'Diffie-Hellman parametreleri taşınamadı.',
-'dh key warn' => '1024 veya 2048 bit uzunluğundaki Diffie-Hellman parametrelerini oluşturma birkaç dakika sürebilir. 3072 veya 4096 bit uzunluğundaki parametreleri oluşturmak ise birkaç saate ihtiyaç olabilir. Lütfen sabırlı olun.',
-'dh key warn1' => 'Zayıf veya entropileri küçük olan sistemler için bu yükleme fonksiyonun kullanımı ile uzun Diffie-Hellman parametrelerini yükleme tavsiye edilir.',
-'dh name is invalid' => 'Geçersiz ad, lütfen "dh1024.pem" şeklinde kullanın.',
-'dh parameter' => 'Diffie-Hellman parametreleri',
 'dhcp advopt add' => 'DHCP seçeneği ekle',
 'dhcp advopt added' => 'DHCP seçeneği eklendi',
 'dhcp advopt blank value' => 'DHCP seçeneği değeri boş olamaz.',
@@ -868,7 +862,6 @@
 'download' => 'İndir',
 'download ca certificate' => 'CA sertifikası indir',
 'download certificate' => 'Sertifika indir',
-'download dh parameter' => 'Diffie-Hellman parametrelerini indir',
 'download host certificate' => 'Ana bilgisayar belgesi indir',
 'download new ruleset' => 'Yeni Kural Kümesi İndir',
 'download pkcs12 file' => 'PKCS12 dosyasını indir',
@@ -1269,11 +1262,9 @@
 'g.lite' => 'KALDIRILACAK',
 'gateway' => 'Ağ geçidi',
 'gateway ip' => 'Ağ Geçidi IP Adresi',
-'gen dh' => 'Yeni Diffie-Hellman parametrelerini oluşturun',
 'gen static key' => 'Statik bir anahtar oluştur',
 'generate' => 'Yönetici/Sunucu Sertifikası Oluştur',
 'generate a certificate' => 'Sertifika oluştur:',
-'generate dh key' => 'Diffie-Hellman parametrelerini oluşturun',
 'generate iso' => 'ISO oluştur',
 'generate root/host certificates' => 'Yönetici/Sunucu Sertifikası Oluştur',
 'generate tripwire keys and init' => 'tripwire anahtarları ve init oluştur',
@@ -1731,7 +1722,6 @@
 'nonetworkname' => 'Ağ adı girilmedi',
 'noservicename' => 'Hizmet adı girilmedi',
 'not a valid ca certificate' => 'Geçerli bir CA sertifikası değil.',
-'not a valid dh key' => 'Geçerli bir Diffie-Hellman parametre dosyası yok. 1024, 2048, 3072 veya 4096 bit uzunluğunda ve PKCS#3 biçimini kullanın.',
 'not enough disk space' => 'Yeterli disk alanı yok',
 'not present' => 'Mevcut <b>değil</b>',
 'not running' => 'çalışmıyor',
@@ -1828,10 +1818,6 @@
 'ovpn config' => 'OVPN-Yapılandırması',
 'ovpn crypt options' => 'Şifreleme seçenekleri',
 'ovpn device' => 'OpenVPN aygıtı:',
-'ovpn dh' => 'Diffie-Hellman parametre uzunluğu',
-'ovpn dh new key' => 'Yeni Diffie-Hellman parametrelerini oluşturun',
-'ovpn dh parameters' => 'Diffie-Hellman parametre seçenekleri',
-'ovpn dh upload' => 'Yeni Diffie-Hellman parametreleri yükle',
 'ovpn dl' => 'OVPN-Yapılandırması İndir',
 'ovpn engines' => 'Şifreleme motoru',
 'ovpn errmsg green already pushed' => 'Yeşil ağ için her zaman bir yol ayarla',
@@ -2111,7 +2097,6 @@
 'show ca certificate' => 'CA sertifikalarını göster',
 'show certificate' => 'Sertifika göster',
 'show crl' => 'Sertifika İptal Listesini Göster',
-'show dh' => 'Diffie-Hellman parametrelerini göster',
 'show host certificate' => 'Ana bilgisayar sertifikalarını göster',
 'show last x lines' => 'Son x satırlarını göster',
 'show lines' => 'Satırları göster',
@@ -2462,7 +2447,6 @@
 'upload a certificate' => 'Sertifika yükle:',
 'upload a certificate request' => 'Sertifika isteği yükle:',
 'upload ca certificate' => 'CA Sertifikası Yükle',
-'upload dh key' => 'Diffie-Hellman parametreleri yükle',
 'upload fcdsl.o' => 'KALDIRILACAK',
 'upload file' => 'Dosya yükle',
 'upload new ruleset' => 'Yeni kurallar yükle',
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -123,5 +123,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && make install
 	install -m 0644 $(DIR_SRC)/config/ssl/openssl.cnf /etc/ssl

+	# Install RFC 7919 defined standard group ffdhe4096
+	install -m 0644 $(DIR_SRC)/config/ssl/ffdhe4096.pem /etc/ssl
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)