From 1f8fc1295bdf6ff01b81e1ea738d19580a1b4790 Mon Sep 17 00:00:00 2001
From: Justin Coffman <12767509+whislock@users.noreply.github.com>
Date: Tue, 19 Jun 2018 01:04:04 -0400
Subject: [PATCH] Added 3072-bit RSA key length options. (#2466)

This conforms to current recommendations and best practices for a
128-bit security margin.

2048 is still the minimum recommended, but 2048-bit RSA only aligns to a
112-bit security margin, roughly analogous to 3DES. AES-128, the
minimum recommended cipher, requires a 3072-bit RSA key and a 256-bit digest
(SHA256) to provide an equivalent security level in all cryptographic
components.
---
 src/wizard/openvpn.xml         | 8 ++++++++
 src/www/system_camanager.php   | 2 +-
 src/www/system_certmanager.php | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/wizard/openvpn.xml b/src/wizard/openvpn.xml
index bfc4a2d3c..86557685a 100644
--- a/src/wizard/openvpn.xml
+++ b/src/wizard/openvpn.xml
@@ -370,6 +370,10 @@ if (isset($config['wizardtemp'])) {
 					<name>2048 bit</name>
 					<value>2048</value>
 				</option>
+				<option>
+					<name>3072 bit</name>
+					<value>3072</value>
+				</option>
 				<option>
 					<name>4096 bit</name>
 					<value>4096</value>
@@ -495,6 +499,10 @@ if (isset($config['wizardtemp'])) {
 					<name>2048 bit</name>
 					<value>2048</value>
 				</option>
+				<option>
+					<name>3072 bit</name>
+					<value>3072</value>
+				</option>
 				<option>
 					<name>4096 bit</name>
 					<value>4096</value>
diff --git a/src/www/system_camanager.php b/src/www/system_camanager.php
index e64e4b48a..260c4f11d 100644
--- a/src/www/system_camanager.php
+++ b/src/www/system_camanager.php
@@ -129,7 +129,7 @@ function ca_inter_create(&$ca, $keylen, $lifetime, $dn, $caref, $digest_alg = 's
 }
 
 
-$ca_keylens = array( "512", "1024", "2048", "4096", "8192");
+$ca_keylens = array( "512", "1024", "2048", "3072", "4096", "8192");
 $openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512");
 $a_ca = &config_read_array('ca');
 $a_cert = &config_read_array('cert');
diff --git a/src/www/system_certmanager.php b/src/www/system_certmanager.php
index dacc04e41..5415a4d98 100644
--- a/src/www/system_certmanager.php
+++ b/src/www/system_certmanager.php
@@ -86,7 +86,7 @@ $cert_methods = array(
     "internal" => gettext("Create an internal Certificate"),
     "external" => gettext("Create a Certificate Signing Request"),
 );
-$cert_keylens = array( "512", "1024", "2048", "4096", "8192");
+$cert_keylens = array( "512", "1024", "2048", "3072", "4096", "8192");
 $openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512");