Xymon Mailing List Archive search

error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small

list Paul Root
Mon, 24 Apr 2017 13:44:09 +0000
Message-Id: <user-d27e543471bc@xymon.invalid>

My keys are all 2048.

From: Dominique Frise [mailto:user-78ab6673b600@xymon.invalid]
Sent: Monday, April 24, 2017 1:42 AM
To: Root, Paul T; xymon at xymon.com
Subject: RE: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small


OpenSSL was probably updated on your proxy an it reports a problem on the server you are testing (NNN.NNN.NNN.NNN). This server is using a weak DH key within the key exchange and recent versions of OpenSSL enforce a non-weak DH key because of the Logjam attack (https://weakdh.org/).


Dominique​

De : Xymon <xymon-bounces at xymon.com<mailto:xymon-bounces at xymon.com>> de la part de Root, Paul T <user-76fdb6883669@xymon.invalid<mailto:user-76fdb6883669@xymon.invalid>>
Envoyé : vendredi 21 avril 2017 20:40
À : xymon at xymon.com<mailto:xymon at xymon.com>
Objet : [Xymon] error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small

We patched our OS on our xymon proxy servers, and now we get the error in the xymonnet test

Error output:
Unspecified SSL error in SSL_connect to https (47873/tcp) on host NNN.NNN.NNN.NNN: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small


It looks like it’s some sort of issue with an openssl patch.

The machines in question are CentOS 6.9,  and xymon is 4.3.21, that we packaged ourselves.

I vaguely remember others having issues with SSL certs and xymon last year late.

Does anybody have an explanation or solution?


Thanks,
Paul.
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.