Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file

Since commit bd9aa06feb (Jan 2015) OpenVPN has allowed to use '--dh none' to disable traditional Diffie Hellman, since more secure ECDH algorithms are available that do not use explicit DH parameters. If configured with a suffiently high securelevel (3+), or if running in FIPS mode, OpenSSL 3.5 will refuse 2048 bit DH files, making our tests fail. Thus, remove all the DH2048 stuff from our sample configs. Github: triggered by OpenVPN/openvpn#819 Change-Id: If66438662bd862a195b2a69c4fa45f63838982b7 Signed-off-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250820175459.11227-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32632.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2026-02-03 20:39:40 -05:00 · 2025-08-20 19:54:53 +02:00 · 2025-08-20 19:54:53 +02:00 · 2d73540316
commit 2d73540316
parent 72a0e6f94f
5 changed files with 4 additions and 17 deletions
--- a/doc/tests/authentication-plugins.md
+++ b/doc/tests/authentication-plugins.md
@ -36,7 +36,7 @@ To build the needed authentication plug-in, run:
      verb 4
      dev tun
      server 10.8.0.0 255.255.255.0
-      dh sample/sample-keys/dh2048.pem
+      dh none
      ca sample/sample-keys/ca.crt
      cert sample/sample-keys/server.crt
      key sample/sample-keys/server.key
--- a/sample/sample-config-files/loopback-server
+++ b/sample/sample-config-files/loopback-server
@ -17,7 +17,7 @@ dev null
 verb 3
 reneg-sec 10
 tls-server
-dh sample-keys/dh2048.pem
+dh none
 ca sample-keys/ca.crt
 key sample-keys/server.key
 cert sample-keys/server.crt
--- a/sample/sample-config-files/server.conf
+++ b/sample/sample-config-files/server.conf
@ -87,11 +87,6 @@ ca ca.crt
 cert server.crt
 key server.key  # This file should be kept secret

-# Diffie hellman parameters.
-# Generate your own with:
-#   openssl dhparam -out dh2048.pem 2048
-dh dh2048.pem
-
 # Allow to connect to really old OpenVPN versions
 # without AEAD support (OpenVPN 2.3.x or older)
 # This adds AES-256-CBC as fallback cipher and
@ -306,4 +301,4 @@ verb 3

 # Notify the client that when the server restarts so it
 # can automatically reconnect.
-explicit-exit-notify 1
+explicit-exit-notify 1
--- a/sample/sample-keys/dh2048.pem
+++ b/sample/sample-keys/dh2048.pem
@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
-MIIBCAKCAQEAgGOVdT2c3GUITi1pF9u+yo72PRBW7I7SnNIsHmXCRYibpyPMGxKM
-ROK6rduMllC0CjiXQZhMfqCg+GIca9xxBPKtTnwtKWD3eH5wgs24kw86mODITjJk
-6lTNM8it2HY4UuIQoFCqCdt5f5Gwgh2nwU5+dy731md6pmw9x9jUEXoyh67CeZfb
-C45x5ttzjpSBvYe5ZIiUypYKumYhdiZhk0RLefEtlUYF9oXrUExDqfYDpSO/1/X3
-oHC0O0EV3Lh1boZTG7+FjcvMYLIKYUDTmxHpII6/OAHhprg7U9ui1i7GyQRv1lze
-QV3FGO4UwLntnv352iYy91b0ls2mwD+zTwIBAg==
-----END DH PARAMETERS-----
--- a/sample/sample-plugins/keying-material-exporter-demo/server.ovpn
+++ b/sample/sample-plugins/keying-material-exporter-demo/server.ovpn
@ -8,7 +8,7 @@ plugin ./keyingmaterialexporter.so
 ca     ../../sample-keys/ca.crt
 cert   ../../sample-keys/server.crt
 key    ../../sample-keys/server.key
-dh     ../../sample-keys/dh2048.pem
+dh     none

 server 10.8.0.0 255.255.255.0
 port 1194