Security audit


#1

So, has anybody audited the custom GL software?
For example openvpn server.

create_certificates() {
# CA Authority

# Server certificate

# Sign request

# Client certificate

# Sign request

# Create Diffie-Hellman Key
**#openssl dhparam -out $DH_KEY 1024 >/dev/null 2>&1**

# Create TLS Key
**# openvpn --genkey --secret $TA_KEY**
return 0

}

So, you dont create a unique Diffie-Hellman Key per device (commented out), but reuse the file /etc/openvpn/cert/dh1024.pem.
Is 1024 bit enough as well as sharing the same file?

https://blog.hqcodeshop.fi/archives/320-Diffie-Hellman-key-exchange-1024-bit-unreliable.html

Why has prefect forwarding not enable with TA keys?


#2

Thanks for your audit. It is a security issue there. We built-in the DH file as it spent long time to generate it.


#3

just appalling really just sloppy work you guys don’t take things seriously enough to much crap you need to release secure version


#4

I think you are expecting too much. And you can always build your own custom firmware if you are not happy with stock.


#5

I like this product, but I need it to improve before I can recommend it to others. And I cant help but notice how you just keep trying to invalidate or trivialize every bug report the users make here. When I see you arguing in favor of weak security too, I have to question your motive and who you are really working for.