OpenSSL DH Key Too Small Error
In my case only solution was to set CipherString in /etc/ssl/openssl.cnf
from
CipherString = DEFAULT@SECLEVEL=2
to
CipherString = DEFAULT@SECLEVEL=1
For OpenVPN files, add below entry to your .ovpn file:
tls-cipher "DEFAULT:@SECLEVEL=0"
Refer here: https://forums.openvpn.net/viewtopic.php?t=23979#p71603
... SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
I have looked in to using LWP and raw Net:SSLeay, but the problem seems to be in the underlying OpenSSL libs.
While it is caused by changes to OpenSSL the problem is actually at the server side. The server is using a weak DH key within the key exchange and recent versions of OpenSSL enforce a non-weak DH key because of the Logjam attack.
If the server supports ciphers which don't use DH key exchange you can work around the problem by restricting the ciphers offered by the client so that they don't include any DH ciphers.
my $sock = IO::Socket::SSL->new(..., SSL_cipher_list => 'DEFAULT:!DH' ...);
Apart from that simply disabling any validation like you do is bad:
...
verify_hostname => 0,
SSL_verify_mode => SSL_VERIFY_NONE,
SSL_verifycn_scheme => undef
For one, verify_hostname
is not a valid parameter at all (this is for LWP only). Also, you don't need to set a SSL_verifycn_scheme
if you disable validation with SSL_verify_mode
since no validation also means no validation of the certificates subject.
But much better than disabling validation would be to use SSL_fingerprint
to specify which certificate you expect and thus have a proper check even for self-signed or expired certificates. See common usage errors in the IO::Socket::SSL documentation for more information.