On Wednesday, 28 August 2019 23:20:49 CEST Marcelo Lauxen wrote: > Our server runs with DH key size of 2048 bits and we are trying to make > requests with httparty(https://github.com/jnunemaker/httparty) to a server > that uses DH key size of 1024 bits, i want to now for what reason we are > getting this error SSL_connect returned=1 errno=0 state=error: dh key too > small, it's because different DH key sizes? 🤔 > > We haven't control of the server who are using DH key size of 1048 bits. > > I've opened the same issue on httparty > https://github.com/jnunemaker/httparty/issues/664, but seems not a problem > with httparty and something with OpenSSL. > > Currently our server is using *OpenSSL 1.1.1c*, but before we was > using *OpenSSL > 1.1.0j* and this error doesn't happen. Is OpenSSL blocking the > communication between our server who uses DH 2048 bits and the other server > who uses DH 1024 bits (weak Diffie-Hellman)? If yes, is it reported in > somewhere? > > Our server SSL Labs results: > https://www.ssllabs.com/ssltest/analyze.html?d=web.monde.com.br&latest > > Server who we are trying make requests: > https://www.ssllabs.com/ssltest/analyze.html?d=webservices.voeazul.com.br&la > test that server is willing to negotiate ECDHE_RSA ciphers, you'd be better off disabling ciphers that use DHE and RSA key exchange and using ECDHE_RSA instead of trying to make 1024 bit work – it really is weak and should not be used (see also: LOGJAM) -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
