SSL VPN only 1024bit instead of 2048bit?

stevenhemelaere · #1 (**permalink**) 06-18-2009, 08:30 PM

My SSL VPN has been configured to use a 2048bit key size, however when checking the logs, i get the following:

Code:

2009:06:18-16:30:58 <VPN NAME> openvpn[12501]: <IPADDRESS>:1761 TLS: Username/Password authentication succeeded for username '<USERNAME>' 
2009:06:18-16:30:58 <VPN NAME> openvpn[12501]: <IPADDRESS>:1761 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2009:06:18-16:30:58 <VPN NAME> openvpn[12501]: <IPADDRESS>:1761 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2009:06:18-16:30:58 <VPN NAME> openvpn[12501]: <IPADDRESS>:1761 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2009:06:18-16:30:58 <VPN NAME> openvpn[12501]: <IPADDRESS>:1761 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2009:06:18-16:30:58 <VPN NAME> openvpn[12501]: <IPADDRESS>:1761 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Am i misinterpreting something, or is there really a problem here?

BTW: i'm using 7.460

BAlfson · #2 (**permalink**) 06-18-2009, 08:47 PM

Show a pic of the 'Advanced' tab of 'SSL VPN'. If it says you're using a 2048-bit key, I think you found a bug.

stevenhemelaere · #3 (**permalink**) 06-19-2009, 07:30 AM

In attachment you can see my advanced settings.

dhaman3 · #4 (**permalink**) 12-14-2009, 07:46 PM

I too have the same issue im running 7.502 and i have ssl vpn set to use a 2048 Bit cert but when checking the cert for my user it is still only 1024

BAlfson · #5 (**permalink**) 12-15-2009, 05:35 PM

dhaman3, I think that may be a different issue. The user certs can be generated with 1024-, 2048-, 3072- or 4096-bit keys. Oh, wait a minute, I see now that it is the same issue. I don't think this is an error. It's the difference between the keysize for the user and the keysize for the Astaro SSL VPN server.

Cheers - Bob

Trialrider · #6 (**permalink**) 12-16-2009, 12:55 PM

Here with 7.306 it's the same.

User, local and WA have a public key length of 1024 bit. I downloaded and read with text editor.

The key is set to 2048...

Is it related to the length of the local certificate? So I think the server's cert should be changed to one with 2048 and and every SSL user should get a new one with 2048 bit too.

I will try this with my ASL and let you know the result of testing.
--
Kind regards,

Steffen

Trialrider · #7 (**permalink**) 12-16-2009, 02:03 PM

So, finished.

In my ASL at 7.502 I set SSL-VPN to use a own certificate created with key length of 2048 bits.

for the used user I created a new user certificate using distinguished name with a length of 2048 bits too.

After that I logged in to UP and downloaded SSL configuration files only, client from 7.306 still intsalled. The installed certificates I read with text editor again. in ca.cert public key has a length of 1024 bits but the user.cert has a public key length of 2048 bits.

In connecting log I could read it was using key length of 2048 bits.

"Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA"

But why the ca.cert is using 1024 bit if in SSL settings a certificate with 2048 bits is set to use?

Hope that helps everyone.
--
MfG, Steffen

dhaman3 · #8 (**permalink**) 12-16-2009, 08:04 PM

Exactly my issue i have no problem creating a cert for a user and it actually being 2048 Bits (user cert) but the ASG Certificate Authority can not be made 2048 Bits, this is either a limitation or a bug because there's not much sense in a user authenticating a 2048bit cert to a 1024 bit CA. Is there a work around for this ? i know in open vpn i can make all the certs , CA etc that i need , but i would like ASG to give me the capability of using a 2048 Bit CA

Trialrider · #9 (**permalink**) 12-17-2009, 07:20 AM

One interesting thing I found in the start up entries from the SSL VPN log:

openvpn[3855]: Diffie-Hellman initialized with 2048 bit key

[edit]In v7.306 I can read this.[/edit]

...
--
MfG, Steffen