resiprocate · dpocock · Sep 18, 2015 · Sep 9, 2015
diff --git a/debian/conf/reTurnServer.config b/debian/conf/reTurnServer.config
@@ -217,9 +217,9 @@ TlsServerPrivateKeyFilename = server-key.pem
 # TLS temporary Diffie-Hellman parameters file (loaded from working directory)
 # Can be generated with the command:
 #
-#     openssl dhparam -outform PEM -out dh512.pem 512
+#     openssl dhparam -outform PEM -out dh2048.pem 2048
 #
-TlsTempDhFilename = /etc/reTurn/dh512.pem
+TlsTempDhFilename = /etc/reTurn/dh2048.pem
 
 # TLS server private key certificate password required to read
 # from PEM file.  Leave blank if key is not encrypted.

diff --git a/debian/resiprocate-turn-server.postinst b/debian/resiprocate-turn-server.postinst
@@ -21,7 +21,7 @@ dpkg-maintscript-helper mv_conffile \
   /etc/reTurnServer-users.txt /etc/reTurn/users.txt 1.9.0~beta10-1 -- "$@"
 
 sed -i -e 's!^UserDatabaseFile = /etc/reTurnServer-users.txt!UserDatabaseFile = /etc/reTurn/users.txt!' /etc/reTurn/reTurnServer.config
-sed -i -e 's!^TlsTempDhFilename = /etc/reTurnServer-dh512.pem!TlsTempDhFilename = /etc/reTurn/dh512.pem!' /etc/reTurn/reTurnServer.config
+sed -i -e 's!^TlsTempDhFilename = /etc/reTurnServer-dh2048.pem!TlsTempDhFilename = /etc/reTurn/dh2048.pem!' /etc/reTurn/reTurnServer.config
 
 # $1 = version of the package being upgraded.
 install() {
@@ -44,11 +44,11 @@ install() {
                "$RETURN_USER" || exit 1
     fi
 
-    #DH_PARAM_FILE=/etc/reTurn/dh512.pem
+    #DH_PARAM_FILE=/etc/reTurn/dh2048.pem
     #if [ ! -f ${DH_PARAM_FILE} ];
     #then
     #    echo "Generating DH parameters..."
-    #    openssl dhparam -outform PEM -out ${DH_PARAM_FILE} 512 > /dev/null
+    #    openssl dhparam -outform PEM -out ${DH_PARAM_FILE} 2048 > /dev/null
     #fi
 
     chown ${RETURN_USER}:${RETURN_GROUP} /var/log/reTurnServer

diff --git a/reTurn/Makefile.am b/reTurn/Makefile.am
@@ -1,6 +1,6 @@
 # $Id$
 
-EXTRA_DIST = dh512.pem server.pem
+EXTRA_DIST = dh2048.pem server.pem
 EXTRA_DIST += pkg
 EXTRA_DIST += README.txt
 EXTRA_DIST += *.sln

diff --git a/reTurn/ReTurnConfig.cxx b/reTurn/ReTurnConfig.cxx
@@ -49,7 +49,7 @@ ReTurnConfig::ReTurnConfig() :
    mMaxAllocationsPerUser(0),       // 0 - no max
    mTlsServerCertificateFilename("server.pem"),
    mTlsServerPrivateKeyFilename(""),
-   mTlsTempDhFilename("dh512.pem"),
+   mTlsTempDhFilename("dh2048.pem"),
    mTlsPrivateKeyPassword(""),
    mUsersDatabaseFilename(""),
    mUserDatabaseHashedPasswords(false),

diff --git a/reTurn/dh2048.pem b/reTurn/dh2048.pem
@@ -0,0 +1,32 @@
+MODP Group 14 from RFC 3526
+"More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)"
+
+    PKCS#3 DH Parameters: (2048 bit)
+        prime:
+            00:ff:ff:ff:ff:ff:ff:ff:ff:c9:0f:da:a2:21:68:
+            c2:34:c4:c6:62:8b:80:dc:1c:d1:29:02:4e:08:8a:
+            67:cc:74:02:0b:be:a6:3b:13:9b:22:51:4a:08:79:
+            8e:34:04:dd:ef:95:19:b3:cd:3a:43:1b:30:2b:0a:
+            6d:f2:5f:14:37:4f:e1:35:6d:6d:51:c2:45:e4:85:
+            b5:76:62:5e:7e:c6:f4:4c:42:e9:a6:37:ed:6b:0b:
+            ff:5c:b6:f4:06:b7:ed:ee:38:6b:fb:5a:89:9f:a5:
+            ae:9f:24:11:7c:4b:1f:e6:49:28:66:51:ec:e4:5b:
+            3d:c2:00:7c:b8:a1:63:bf:05:98:da:48:36:1c:55:
+            d3:9a:69:16:3f:a8:fd:24:cf:5f:83:65:5d:23:dc:
+            a3:ad:96:1c:62:f3:56:20:85:52:bb:9e:d5:29:07:
+            70:96:96:6d:67:0c:35:4e:4a:bc:98:04:f1:74:6c:
+            08:ca:18:21:7c:32:90:5e:46:2e:36:ce:3b:e3:9e:
+            77:2c:18:0e:86:03:9b:27:83:a2:ec:07:a2:8f:b5:
+            c5:5d:f0:6f:4c:52:c9:de:2b:cb:f6:95:58:17:18:
+            39:95:49:7c:ea:95:6a:e5:15:d2:26:18:98:fa:05:
+            10:15:72:8e:5a:8a:ac:aa:68:ff:ff:ff:ff:ff:ff:
+            ff:ff
+        generator: 2 (0x2)
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
+IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
+awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
+mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
+fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
+5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
+-----END DH PARAMETERS-----
diff --git a/reTurn/dh512.pem b/reTurn/dh512.pem
diff --git a/reTurn/reTurnServer.config b/reTurn/reTurnServer.config
@@ -215,11 +215,12 @@ TlsServerCertificateFilename = server.pem
 TlsServerPrivateKeyFilename = 
 
 # TLS temporary Diffie-Hellman parameters file (loaded from working directory)
-# Can be generated with the command:
+# It's strongly recommended to generated own Diffie-Hellman parameters with
+# the command:
 #
-#     openssl dhparam -outform PEM -out dh512.pem 512
+#     openssl dhparam -outform PEM -out dh2048.pem 2048
 #
-TlsTempDhFilename = dh512.pem
+TlsTempDhFilename = dh2048.pem
 
 # TLS server private key certificate password required to read
 # from PEM file.  Leave blank if key is not encrypted.

diff --git a/resiprocate.spec.in b/resiprocate.spec.in
@@ -187,7 +187,7 @@ sed -i \
  -e 's!^#RunAsGroup = return!RunAsGroup = return!' \
  -e 's!^UserDatabaseFile = users.txt!UserDatabaseFile = %{_sysconfdir}/reTurn/users.txt!' \
  -e 's!^UserDatabaseHashedPasswords = false!UserDatabaseHashedPasswords = true!' \
- -e 's!^TlsTempDhFilename = dh512.pem!TlsTempDhFilename = %{_sysconfdir}/reTurn/dh512.pem!' \
+ -e 's!^TlsTempDhFilename = dh2048.pem!TlsTempDhFilename = %{_sysconfdir}/reTurn/dh2048.pem!' \
             %{buildroot}%{_sysconfdir}/reTurn/reTurnServer.config
 install -m 0755 -d %{buildroot}%{_sharedstatedir}/repro
 rm -f %{buildroot}%{_libdir}/lib*.a