Bumping default dh key lengths

b994a9c6 · Bob Mottram · 3ddeb7fa · b994a9c6 · b994a9c6 · b994a9c6
Commit b994a9c6 authored 9 years ago by Bob Mottram
--- a/doc/EN/beaglebone.txt
+++ b/doc/EN/beaglebone.txt
@@ -1650,7 +1650,7 @@ openssl req \
  -keyout /etc/ssl/private/$HOSTNAME.key \
  -out /etc/ssl/certs/$HOSTNAME.crt
-openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam
+openssl dhparam -check -text -5 2048 -out /etc/ssl/certs/$HOSTNAME.dhparam
 chmod 400 /etc/ssl/private/$HOSTNAME.key
 chmod 640 /etc/ssl/certs/$HOSTNAME.crt
@@ -7362,7 +7362,7 @@ PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin'
 initialrepair_start() {
 echo "Starting $SERVICE..."
-su --command "screen -h 1024 -dmS ${SERVICE} ${INVOCATION}" root
+su --command "screen -h 2048 -dmS ${SERVICE} ${INVOCATION}" root
 }

--- a/src/freedombone
+++ b/src/freedombone
@@ -417,7 +417,7 @@ ZERONET_DEFAULT_FORUM_TAGLINE="A decentralized discussion group"
 IPFS_PORT=4001
 # Default diffie-hellman key length in bits
-DH_KEYLENGTH=1024
+DH_KEYLENGTH=2048
 # repo for atheros AR9271 wifi driver
 ATHEROS_WIFI_REPO='https://github.com/qca/open-ath9k-htc-firmware.git'

--- a/src/freedombone-addcert
+++ b/src/freedombone-addcert
@@ -36,7 +36,7 @@ ORGANISATION="Freedombone"
 UNIT="Freedombone Unit"
 EXTENSIONS=""
 NODH=
-DH_KEYLENGTH=1024
+DH_KEYLENGTH=2048
 function show_help {
    echo ''

--- a/src/freedombone-config
+++ b/src/freedombone-config
@@ -695,7 +695,9 @@ function interactive_configuration {
    if [[ $INSTALLING_ON_BBB == "yes" ]]; then
        USB_DRIVE=/dev/sda1
        # here a short diffie-hellman key length is used, because otherwise creation of keys
-        # becomes impractically long on the beaglebone.
+        # becomes impractically long on the beaglebone. It is known (as of 2015) that
+        # 1024bit DH may be breakable, so this is really a tradeoff between security and the
+        # available hardware
        DH_KEYLENGTH=1024
    fi
    save_configuration_file

--- a/src/freedombone-sec
+++ b/src/freedombone-sec
@@ -53,7 +53,7 @@ CURRENT_DIR=$(pwd)
 REGENERATE_SSH_HOST_KEYS="no"
 REGENERATE_DH_KEYS="no"
 RESET_TRIPWIRE="no"
-DH_KEYLENGTH=1024
+DH_KEYLENGTH=2048
 function get_protocols_from_website {
  if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
@@ -347,7 +347,7 @@ function regenerate_dh_keys {
      dialog --backtitle "Freedombone Security Configuration" \
             --title "Diffie-Hellman key length" \
             --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
-             1 "1024 bits" off \
+             1 "1024 bits (WARNING: this may be insecure)" off \
             2 "2048 bits" on \
             3 "3072 bits" off 2> $data
      sel=$?