Discussion:
[Openvpn-users] Default key length of DH/DHE/ECDH/ECDHE
SaAtomic
2017-07-24 12:20:27 UTC
Permalink
I'm not sure if this question is more suitable for the OpenVPN or the OpenSSl users list.

With OpenVPN 2.4.0 and OpenSSL 1.0.2l only ECDHE and DHE are available, but I do not have the option to define a key length,
so I assume OpenSSL's default key length will be used. With older versions of OpenVPN/OpenSSL DH and ECDH are also available if I'm not mistaken.

On the OpenSSL users mailing list, I was informed, that for the EC Diffie Hellman, the chosen curve (e.g. NIST256, NIST384, ...) determines the key length.

What key length does OpenVPN use for DH, DHE, ECDH and ECDHE?

Thank you and regards,
SaAtomic
Steffan Karger
2017-07-24 12:39:41 UTC
Permalink
Hi,
Post by SaAtomic
I'm not sure if this question is more suitable for the OpenVPN or the OpenSSl users list.
With OpenVPN 2.4.0 and OpenSSL 1.0.2l only ECDHE and DHE are available, but
I do not have the option to define a key length,
so I assume OpenSSL's default key length will be used. With older versions
of OpenVPN/OpenSSL DH and ECDH are also available if I'm not mistaken.
On the OpenSSL users mailing list, I was informed, that for the EC Diffie
Hellman, the chosen curve (e.g. NIST256, NIST384, ...) determines the key
length.
What key length does OpenVPN use for DH, DHE, ECDH and ECDHE?
For DH/DHE, the key length is determined by the parameters you provide
to the server through --dh.

For ECDH/ECDHE, thee key size is determined by the curve, and the
curve is determined by the server certificate. By default OpenVPN (1)
tries to let OpenSSL 1.0.2 and newer or mbed TLS select the curve
automatically, or for OpenSSL 1.0.1 and older uses either (2) the
curve used in the server certificate (--cert) or (3) when the server
cert is not an EC cert falls back to P-384.

-Steffan

Loading...