dh key too small

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

dh key too small

Marek Greško
Hello,

I am struggling with "ERROR: negotiating TLS on FD 53:
error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
(1/-1/0)" error when ssl bumping.

I cannot find out where the problem liesand why is the key too small.
I regenerated my dhparams with openssl dhparam -outform PEM -out
dhparam.pem 4096.

http_port 3128 ssl-bump \
        generate-host-certificates=on \
        dynamic_cert_mem_cache_size=4MB \
        cert=/**********************/bump-ca.crt \
        key=/**********************/bump-ca.key \
        tls-dh=/etc/squid/dhparam.pem

ssl_bump peek step1
ssl_bump bump bumped_group !bank_dom
ssl_bump splice all

I use recent Fedora 33 packages.

I observe the issue when connecting to https://www.p-mat.sk as a bumped user.

Thanks for any help.

Marek
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: dh key too small

Marek Greško
Hello,

most probably the problem is on the server side:

openssl s_client -connect www.p-mat.sk:443 -tls1
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = p-mat.sk
verify return:1
139797750867776:error:141A318A:SSL routines:tls_process_ske_dhe:dh key
too small:ssl/statem/statem_clnt.c:2157:

It seems their DH params are too small. What are the possibilities to
overcome the problem on squid side? The only one I am currently aware
of is making exception on ssl bump.

Thanks

Marek



2021-02-15 19:56 GMT+01:00, Marek Greško <[hidden email]>:

> Hello,
>
> I am struggling with "ERROR: negotiating TLS on FD 53:
> error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
> (1/-1/0)" error when ssl bumping.
>
> I cannot find out where the problem liesand why is the key too small.
> I regenerated my dhparams with openssl dhparam -outform PEM -out
> dhparam.pem 4096.
>
> http_port 3128 ssl-bump \
>         generate-host-certificates=on \
>         dynamic_cert_mem_cache_size=4MB \
>         cert=/**********************/bump-ca.crt \
>         key=/**********************/bump-ca.key \
>         tls-dh=/etc/squid/dhparam.pem
>
> ssl_bump peek step1
> ssl_bump bump bumped_group !bank_dom
> ssl_bump splice all
>
> I use recent Fedora 33 packages.
>
> I observe the issue when connecting to https://www.p-mat.sk as a bumped
> user.
>
> Thanks for any help.
>
> Marek
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: dh key too small

Alex Rousskov
On 2/15/21 4:42 PM, Marek Greško wrote:

> Hello,
>
> most probably the problem is on the server side:
>
> openssl s_client -connect www.p-mat.sk:443 -tls1
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = p-mat.sk
> verify return:1
> 139797750867776:error:141A318A:SSL routines:tls_process_ske_dhe:dh key
> too small:ssl/statem/statem_clnt.c:2157:
>
> It seems their DH params are too small. What are the possibilities to
> overcome the problem on squid side?

Unfortunately, I can only answer with a question: Does OpenSSL have a
runtime option to allow too-small keys? If yes, you may be able to use
that option with tls_outgoing_options.

Alex.


> 2021-02-15 19:56 GMT+01:00, Marek Greško <[hidden email]>:
>> Hello,
>>
>> I am struggling with "ERROR: negotiating TLS on FD 53:
>> error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
>> (1/-1/0)" error when ssl bumping.
>>
>> I cannot find out where the problem liesand why is the key too small.
>> I regenerated my dhparams with openssl dhparam -outform PEM -out
>> dhparam.pem 4096.
>>
>> http_port 3128 ssl-bump \
>>         generate-host-certificates=on \
>>         dynamic_cert_mem_cache_size=4MB \
>>         cert=/**********************/bump-ca.crt \
>>         key=/**********************/bump-ca.key \
>>         tls-dh=/etc/squid/dhparam.pem
>>
>> ssl_bump peek step1
>> ssl_bump bump bumped_group !bank_dom
>> ssl_bump splice all
>>
>> I use recent Fedora 33 packages.
>>
>> I observe the issue when connecting to https://www.p-mat.sk as a bumped
>> user.
>>
>> Thanks for any help.
>>
>> Marek
>>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users