mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
46803376d5
https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf (released in 2015) recommends "to use primes of 2048 bits or larger", to which BSI's techical guideline BSI-TR-02102 (https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile&v=5) concurs. The latter also recommends not to use DH groups comprising of less than 2000 bits after 2022, and shift to 3000 bit DH groups earlier as a precaution. According to RFC 3526, section 8, MODP-1536 provides an estimated security between 90 and 120 bits, a value that can be reasonably considered broken today, as it has been so for other types of cryptographic algorithms already, and per section 2.4 in the aforementioned paper, breaking 1024-bit DH is considered feasible for the NSA in 2015, which does not inspire confidence for MODP-1536 in 2022. Therefore, this patch suggests to mark MODP-1536 as broken, since it de facto is, and tag MODP-2048 as weak. The latter is also removed from the default selection, so newly created VPN connections won't use it anymore, to follow BSI's recommendations of using DH groups >= 3000 bits in 2022 and later. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>