This allows us to remove all DH handling remnants. If people
want to use a separate content they will have to let us know,
but it seems unlikely. The only impact seems to be a security
bump from 2k to 4k default.
Learned this the hard way on macOS Catalina behaviour. Since this
is a new policy enforced since 2019 it's safe to increase the defaults
(which were 10 years before) as well. Likely makes a few users
happy that had VPN certificates run out over the years.
This conforms to current recommendations and best practices for a
128-bit security margin.
2048 is still the minimum recommended, but 2048-bit RSA only aligns to a
112-bit security margin, roughly analogous to 3DES. AES-128, the
minimum recommended cipher, requires a 3072-bit RSA key and a 256-bit digest
(SHA256) to provide an equivalent security level in all cryptographic
components.
o Remove a subtype of <includefile/> to reduce feature bloat
o Select 32 bit subnet (host) as a suggestion
o Never skip LAN and make it optional instead
o Fix regression of $xml passing
o Fix voodoo on Static
o We could potentially pass files using xml=../../xxx, so just
hardcode the wizards we know for now. I don't expect them to
grow, otherwise we may be able to do a directory expand.
o Move xml files out of the /usr/local/www/wizards into /usr/local/wizard.
o Move the include file to the normal include path /usr/local/etc/inc.
o Allow the menu to always expand to the setup wizard, even though
we many be triggering the OpenVPN wizard. This gives a consistent
feel of navigation, especially since POST requests hide the invoked
wizard later on anyway.
