dh key too small solution

When using latest version ot openssl for TLS connection gives the following error:

139640766993728:error:141A318A: SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2156:

or with qmail + TLS patch

qmail deferral: TLS_connect_failed:_error:141A318A: SSL_routines:tls_process_ske_dhe:dh_key_too_small...

Edit your openssl.cnf file (Debian - /etc/ssl/openssl.cnf):

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

change CipherString default to 1:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1

Less secure but it works.

OpenVPN renew expired CA, revoke certificate and other notes

OpenVPN and OpenSSL notes

View contents of a certificate file:

# openssl x509 -noout -text -in certificate-file.crt

Generate new CA file from expired file (This is not a good practice!!!):

# openssl x509 -in ca.crt -days 4650 -out ca_new.crt -signkey ca.key

Verify crt file agains CA:

# openssl verify newserver.crt -CAFile ca.crt

Revoking certificate:

# . ./vars
# ./revoke-full name_of_cert_file

Result is in "keys/crl.pem". You need to copy it in /etc/openvpn/


Checking contents of crl.pem file:

openssl crl -text -noout -in /etc/openvpn/crl.pem

Regenerate expired CRL file

# openssl ca  -gencrl -keyfile ca.key -cert ca.crt -out new-crl.pem -config ./openssl.cnf

you also need to do this in openssl.cnf if you want to change default expire days (1 month)

default_crl_days= 3650         # how long before next CRL