Tag Archives: rhel

(35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

When using Zabbix on a Centos8/RHEL8 machine the following error occurred whil trying to monitor an HTTPS-website via the build in web scenarieos:

(35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small 

The error itself also shows up when trying to use curl to connect to the website:

$ curl -D - https://<some-legacy-website-> -k
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

That error occurs if the server uses an older cipher-suite that’s considered unsafe by the default crypto policy used in Centos8/RHEL8.


To work around that problem, the legacy cipher suites must be enabled by:

# update-crypto-policies --set LEGACY

Although a restart is recommended after issuing the command, for me it also worked without the need of issuing a reboot.

Get CVE information from NIST NVD and RHEL

Just two littel scripts that come handy if you want to download all the CVE info in JSON format for offline use.

urls=$(curl https://nvd.nist.gov/vuln/data-feeds#JSON_FEED | grep 'https://' | grep -i json.gz | sed 's/.*href=//g' | cut -d\'  -f2)

mkdir -p ./nistNvdJson
cd nistNvdJson
for l in $urls;
wget $l
gunzip *
Donwload NIST NVD CVEs in JSON



mkdir $dataDir -p
echo "getting data:"
T="$(date +%s)"
while [[ $loopVar -ne 0 ]];
        echo -n "-$loopVar- "
        data=$(curl -s https://access.redhat.com/labs/securitydataapi/cve.json?page=$loopVar)
        if [[ "$data" == "[]" ]]; then
                toFile=$toFile${data:1:-1}", "
                let loopVar=loopVar+1
T="$(($(date +%s)-T))"
echo "[${toFile::-2}]" >> "$dataDir/rhelCve.json"
sed -i 's/^\[\]$//g' "$dataDir/rhelCve.json"
printf "Got data in: %02dd:%02dh:%02dm:%02ds\n" "$((T/86400))" "$((T/3600%24))" "$((T/60%60))" "$((T%60))"
Get CVE infos for RHEL


Additional information:
If you query the NIST NVD Data and search for RHEL CPEs you won’t get a lot of hits as only a smal percentage of the CVEs that affect Red Hat software has the correct CPE attached. However – NIST NVD is nice to have because in the Red Hat CVEs only the total CVSS score is listed but no detailed vulnerability metrics are included.