[squid-users] dh key too small

Marek Greško mgresko8 at gmail.com
Mon Feb 15 21:42:00 UTC 2021


Hello,

most probably the problem is on the server side:

openssl s_client -connect www.p-mat.sk:443 -tls1
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = p-mat.sk
verify return:1
139797750867776:error:141A318A:SSL routines:tls_process_ske_dhe:dh key
too small:ssl/statem/statem_clnt.c:2157:

It seems their DH params are too small. What are the possibilities to
overcome the problem on squid side? The only one I am currently aware
of is making exception on ssl bump.

Thanks

Marek



2021-02-15 19:56 GMT+01:00, Marek Greško <mgresko8 at gmail.com>:
> Hello,
>
> I am struggling with "ERROR: negotiating TLS on FD 53:
> error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
> (1/-1/0)" error when ssl bumping.
>
> I cannot find out where the problem liesand why is the key too small.
> I regenerated my dhparams with openssl dhparam -outform PEM -out
> dhparam.pem 4096.
>
> http_port 3128 ssl-bump \
>         generate-host-certificates=on \
>         dynamic_cert_mem_cache_size=4MB \
>         cert=/**********************/bump-ca.crt \
>         key=/**********************/bump-ca.key \
>         tls-dh=/etc/squid/dhparam.pem
>
> ssl_bump peek step1
> ssl_bump bump bumped_group !bank_dom
> ssl_bump splice all
>
> I use recent Fedora 33 packages.
>
> I observe the issue when connecting to https://www.p-mat.sk as a bumped
> user.
>
> Thanks for any help.
>
> Marek
>


More information about the squid-users mailing list