Pages

Wednesday, January 12, 2022

dh key too small solution

When using latest version ot openssl for TLS connection gives the following error:

139640766993728:error:141A318A: SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2156:

or with qmail + TLS patch

qmail deferral: TLS_connect_failed:_error:141A318A: SSL_routines:tls_process_ske_dhe:dh_key_too_small...

Edit your openssl.cnf file (Debian - /etc/ssl/openssl.cnf):

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
change CipherString default to 1:
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1

Less secure but it works.