On Fri, 22 Jun 2018, Aki Tuomi wrote:
Do I need to make a fresh dh.pem? The upgrade doc tells how to convert ssl-parameters.dat but how to make a new one?
... or you can make a fresh one using openssl gendh 4096 > dh.pem
This also works
openssl dhparam -out dh.pem 4096Note that this will require quite a lot of entropy, so you should probably ensure that you run it on a laptop or with virtual machine that has some entropy source/helper.
It can take an extraordinary amount of time for long keys. Most of the time/entropy is taken up to produce a "safe" prime (p) such that (p-1)/2 is also prime to resist some factoring algorithms.
However, recent advances make this condition obsolete [*] and not really safer, so a much faster way to generate a DH key is
openssl dhparam -dsaparam -out dh.pem 4096DH generation is a one time operation, so if you're paranoid and you've got time to burn, go ahead and generate the "safe" DH key.
[*] https://security.stackexchange.com/questions/42415/openvpn-dhparam)
Joseph Tam jtam.home@gmail.com