[squid-users] dh key too small

Alex Rousskov rousskov at measurement-factory.com
Tue Feb 16 20:24:31 UTC 2021


On 2/15/21 4:42 PM, Marek Greško wrote:
> Hello,
> 
> most probably the problem is on the server side:
> 
> openssl s_client -connect www.p-mat.sk:443 -tls1
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = p-mat.sk
> verify return:1
> 139797750867776:error:141A318A:SSL routines:tls_process_ske_dhe:dh key
> too small:ssl/statem/statem_clnt.c:2157:
> 
> It seems their DH params are too small. What are the possibilities to
> overcome the problem on squid side?

Unfortunately, I can only answer with a question: Does OpenSSL have a
runtime option to allow too-small keys? If yes, you may be able to use
that option with tls_outgoing_options.

Alex.


> 2021-02-15 19:56 GMT+01:00, Marek Greško <mgresko8 at gmail.com>:
>> Hello,
>>
>> I am struggling with "ERROR: negotiating TLS on FD 53:
>> error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
>> (1/-1/0)" error when ssl bumping.
>>
>> I cannot find out where the problem liesand why is the key too small.
>> I regenerated my dhparams with openssl dhparam -outform PEM -out
>> dhparam.pem 4096.
>>
>> http_port 3128 ssl-bump \
>>         generate-host-certificates=on \
>>         dynamic_cert_mem_cache_size=4MB \
>>         cert=/**********************/bump-ca.crt \
>>         key=/**********************/bump-ca.key \
>>         tls-dh=/etc/squid/dhparam.pem
>>
>> ssl_bump peek step1
>> ssl_bump bump bumped_group !bank_dom
>> ssl_bump splice all
>>
>> I use recent Fedora 33 packages.
>>
>> I observe the issue when connecting to https://www.p-mat.sk as a bumped
>> user.
>>
>> Thanks for any help.
>>
>> Marek
>>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list