Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file

cron2 · cron2 · commit 2d73540316af · 2025-08-20T23:11:33.000+02:00
Since commit bd9aa06 (Jan 2015) OpenVPN has allowed to use '--dh none' to disable traditional Diffie Hellman, since more secure ECDH algorithms are available that do not use explicit DH parameters. If configured with a suffiently high securelevel (3+), or if running in FIPS mode, OpenSSL 3.5 will refuse 2048 bit DH files, making our tests fail. Thus, remove all the DH2048 stuff from our sample configs. Github: triggered by #819 Change-Id: If66438662bd862a195b2a69c4fa45f63838982b7 Signed-off-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250820175459.11227-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32632.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
diff --git a/doc/tests/authentication-plugins.md b/doc/tests/authentication-plugins.md
@@ -36,7 +36,7 @@ To build the needed authentication plug-in, run:
       verb 4
       dev tun
       server 10.8.0.0 255.255.255.0
-      dh sample/sample-keys/dh2048.pem
+      dh none
       ca sample/sample-keys/ca.crt
       cert sample/sample-keys/server.crt
       key sample/sample-keys/server.key
diff --git a/sample/sample-config-files/loopback-server b/sample/sample-config-files/loopback-server
@@ -17,7 +17,7 @@ dev null
 verb 3
 reneg-sec 10
 tls-server
-dh sample-keys/dh2048.pem
+dh none
 ca sample-keys/ca.crt
 key sample-keys/server.key
 cert sample-keys/server.crt
diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf
@@ -87,11 +87,6 @@ ca ca.crt
 cert server.crt
 key server.key  # This file should be kept secret
 
-# Diffie hellman parameters.
-# Generate your own with:
-#   openssl dhparam -out dh2048.pem 2048
-dh dh2048.pem
-
 # Allow to connect to really old OpenVPN versions
 # without AEAD support (OpenVPN 2.3.x or older)
 # This adds AES-256-CBC as fallback cipher and
@@ -306,4 +301,4 @@ verb 3
 
 # Notify the client that when the server restarts so it
 # can automatically reconnect.
-explicit-exit-notify 1
+explicit-exit-notify 1
diff --git a/sample/sample-keys/dh2048.pem b/sample/sample-keys/dh2048.pem
diff --git a/sample/sample-plugins/keying-material-exporter-demo/server.ovpn b/sample/sample-plugins/keying-material-exporter-demo/server.ovpn
@@ -8,7 +8,7 @@ plugin ./keyingmaterialexporter.so
 ca     ../../sample-keys/ca.crt
 cert   ../../sample-keys/server.crt
 key    ../../sample-keys/server.key
-dh     ../../sample-keys/dh2048.pem
+dh     none
 
 server 10.8.0.0 255.255.255.0
 port 1194
