OpenSSL DH Key Too Small Error

In my case only solution was to set CipherString in /etc/ssl/openssl.cnf from

CipherString = DEFAULT@SECLEVEL=2

to

CipherString = DEFAULT@SECLEVEL=1

For OpenVPN files, add below entry to your .ovpn file:

tls-cipher "DEFAULT:@SECLEVEL=0"

Refer here: https://forums.openvpn.net/viewtopic.php?t=23979#p71603


... SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small

I have looked in to using LWP and raw Net:SSLeay, but the problem seems to be in the underlying OpenSSL libs.

While it is caused by changes to OpenSSL the problem is actually at the server side. The server is using a weak DH key within the key exchange and recent versions of OpenSSL enforce a non-weak DH key because of the Logjam attack.

If the server supports ciphers which don't use DH key exchange you can work around the problem by restricting the ciphers offered by the client so that they don't include any DH ciphers.

my $sock = IO::Socket::SSL->new(..., SSL_cipher_list => 'DEFAULT:!DH' ...);

Apart from that simply disabling any validation like you do is bad:

    ...
    verify_hostname => 0,   
    SSL_verify_mode => SSL_VERIFY_NONE,
    SSL_verifycn_scheme => undef

For one, verify_hostname is not a valid parameter at all (this is for LWP only). Also, you don't need to set a SSL_verifycn_scheme if you disable validation with SSL_verify_mode since no validation also means no validation of the certificates subject.

But much better than disabling validation would be to use SSL_fingerprint to specify which certificate you expect and thus have a proper check even for self-signed or expired certificates. See common usage errors in the IO::Socket::SSL documentation for more information.

Tags:

Perl

Ssl

Openssl