Subject: SSL_connect returned=1 errno=0 state=error: dh key too small

Hubert Kario hkario at redhat.com
Thu Aug 29 15:05:48 UTC 2019


On Wednesday, 28 August 2019 23:20:49 CEST Marcelo Lauxen wrote:
>   Our server runs with DH key size of 2048 bits and we are trying to make
> requests with httparty(https://github.com/jnunemaker/httparty) to a server
> that uses DH key size of 1024 bits, i want to now for what reason we are
> getting this error SSL_connect returned=1 errno=0 state=error: dh key too
> small, it's because different DH key sizes? 🤔
> 
> We haven't control of the server who are using DH key size of 1048 bits.
> 
> I've opened the same issue on httparty
> https://github.com/jnunemaker/httparty/issues/664, but seems not a problem
> with httparty and something with OpenSSL.
> 
> Currently our server is using *OpenSSL 1.1.1c*, but before we was
> using *OpenSSL
> 1.1.0j* and this error doesn't happen. Is OpenSSL blocking the
> communication between our server who uses DH 2048 bits and the other server
> who uses DH 1024 bits (weak Diffie-Hellman)? If yes, is it reported in
> somewhere?
> 
> Our server SSL Labs results:
> https://www.ssllabs.com/ssltest/analyze.html?d=web.monde.com.br&latest
> 
> Server who we are trying make requests:
> https://www.ssllabs.com/ssltest/analyze.html?d=webservices.voeazul.com.br&la
> test

that server is willing to negotiate ECDHE_RSA ciphers, you'd be better off 
disabling ciphers that use DHE and RSA key exchange and using ECDHE_RSA 
instead of trying to make 1024 bit work – it really is weak and should not be 
used (see also: LOGJAM)


-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190829/a0b1f0be/attachment-0001.sig>


More information about the openssl-users mailing list