On 2/15/21 4:42 PM, Marek Greško wrote: > Hello, > > most probably the problem is on the server side: > > openssl s_client -connect www.p-mat.sk:443 -tls1 > CONNECTED(00000003) > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 > verify return:1 > depth=1 C = US, O = Let's Encrypt, CN = R3 > verify return:1 > depth=0 CN = p-mat.sk > verify return:1 > 139797750867776:error:141A318A:SSL routines:tls_process_ske_dhe:dh key > too small:ssl/statem/statem_clnt.c:2157: > > It seems their DH params are too small. What are the possibilities to > overcome the problem on squid side? Unfortunately, I can only answer with a question: Does OpenSSL have a runtime option to allow too-small keys? If yes, you may be able to use that option with tls_outgoing_options. Alex. > 2021-02-15 19:56 GMT+01:00, Marek Greško <mgresko8@xxxxxxxxx>: >> Hello, >> >> I am struggling with "ERROR: negotiating TLS on FD 53: >> error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small >> (1/-1/0)" error when ssl bumping. >> >> I cannot find out where the problem liesand why is the key too small. >> I regenerated my dhparams with openssl dhparam -outform PEM -out >> dhparam.pem 4096. >> >> http_port 3128 ssl-bump \ >> generate-host-certificates=on \ >> dynamic_cert_mem_cache_size=4MB \ >> cert=/**********************/bump-ca.crt \ >> key=/**********************/bump-ca.key \ >> tls-dh=/etc/squid/dhparam.pem >> >> ssl_bump peek step1 >> ssl_bump bump bumped_group !bank_dom >> ssl_bump splice all >> >> I use recent Fedora 33 packages. >> >> I observe the issue when connecting to https://www.p-mat.sk as a bumped >> user. >> >> Thanks for any help. >> >> Marek >> > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
