Tag Archives: openssl

(35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

When using Zabbix on a Centos8/RHEL8 machine the following error occurred whil trying to monitor an HTTPS-website via the build in web scenarieos:

(35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small 

The error itself also shows up when trying to use curl to connect to the website:

$ curl -D - https://<some-legacy-website-> -k
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

That error occurs if the server uses an older cipher-suite that’s considered unsafe by the default crypto policy used in Centos8/RHEL8.


To work around that problem, the legacy cipher suites must be enabled by:

# update-crypto-policies --set LEGACY

Although a restart is recommended after issuing the command, for me it also worked without the need of issuing a reboot.

Webserver certificate -creation script

Today I got some time to take care of my server so i installed the latest updates checkt the system for attacks and when I checkt my SSL-certificates i found out, that they were just valid till April 2015 … UPS … ok they are not officially signed and i just use them to encrypt sensitive communication with my server but i wanted to fix that issue and some other little issues i found when checking my blog with https://www.ssllabs.com/ssltest/analyze.html?d=blog.fawcs.info.

Because I also had to regenerate the certificates for my other subdomains I wrote a little script to do that for me (and to use it in the future, because I always have to look up the SSL-certificat generation)


So here is the script:


if [ -z $1 ];
        echo "Parameter 1 for Domain is missing";

openssl genrsa -out $1.key 2048
openssl req -x509 -new -nodes -key $1.key -days 1024 -out $1.crt -subj "/C=AT/ST=Vienna/L=Vienna/O=fawCS.info/CN=$1"
SSL cert-generation


I also updated the security settings in my virtual host configuration files for some settings. The DH-KeyExchange cipher got excluded from the available ciphers because there is a new attack against DH which makes it vulnerable to MITM-attacks.
http://www.heise.de/security/meldung/Logjam-Attacke-Verschluesselung-von-zehntausenden-Servern-gefaehrdet-2657502.html [German]

Extract of settings:

TraceEnable off
ServerSignature Off
ServerTokens Prod
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

And it’s always a good idea to to use htaccess with extra users or IP-ACLs to secure specific directories. (for example the wp-admin directory 🙂 )

Some other interesting settings to macke apache more secure can be found her: http://www.tecmint.com/apache-security-tips/