Added 3072-bit RSA key length options. (#2466)

This conforms to current recommendations and best practices for a
128-bit security margin.

2048 is still the minimum recommended, but 2048-bit RSA only aligns to a
112-bit security margin, roughly analogous to 3DES. AES-128, the
minimum recommended cipher, requires a 3072-bit RSA key and a 256-bit digest
(SHA256) to provide an equivalent security level in all cryptographic
components.

src/wizard/openvpn.xml

@@ -370,6 +370,10 @@ if (isset($config['wizardtemp'])) {
 					<name>2048 bit</name>
 					<value>2048</value>
 				</option>
+				<option>
+					<name>3072 bit</name>
+					<value>3072</value>
+				</option>
 				<option>
 					<name>4096 bit</name>
 					<value>4096</value>
@@ -495,6 +499,10 @@ if (isset($config['wizardtemp'])) {
 					<name>2048 bit</name>
 					<value>2048</value>
 				</option>
+				<option>
+					<name>3072 bit</name>
+					<value>3072</value>
+				</option>
 				<option>
 					<name>4096 bit</name>
 					<value>4096</value>

src/www/system_camanager.php

@@ -129,7 +129,7 @@ function ca_inter_create(&$ca, $keylen, $lifetime, $dn, $caref, $digest_alg = 's
 }
 
 
-$ca_keylens = array( "512", "1024", "2048", "4096", "8192");
+$ca_keylens = array( "512", "1024", "2048", "3072", "4096", "8192");
 $openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512");
 $a_ca = &config_read_array('ca');
 $a_cert = &config_read_array('cert');

src/www/system_certmanager.php

@@ -86,7 +86,7 @@ $cert_methods = array(
     "internal" => gettext("Create an internal Certificate"),
     "external" => gettext("Create a Certificate Signing Request"),
 );
-$cert_keylens = array( "512", "1024", "2048", "4096", "8192");
+$cert_keylens = array( "512", "1024", "2048", "3072", "4096", "8192");
 $openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512");