Socat SSL – SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small


I ran into some trouble when trying to get socat working with openssl and DH key sizes being reported too small and this is how I resolved it.

I was running latest Kali 2.0 and tried setting up socat with ssl.

Generate a client certificate

$ FILENAME=server
$ openssl genrsa -out $FILENAME.key 1024Generate a self signed certificate:
$ openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crtYou will be prompted for your country code, name etc.; you may quit all prompts with the enter key.
$ cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
$ chmod 600 $FILENAME.key $FILENAME.pem

Generate a client certificate

$ FILENAME=client
$ socat openssl-listen:4433,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt echo

$ socat stdio,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt

Received the following error, SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small.

Solution found here!topic/ganeti/ds0TwfroS8A

Resolved by adding DH params to my server pem file.

openssl dhparam -out dhparams.pem 2048
cat dhparams.pem >> server.pem

One thought on “Socat SSL – SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small

  1. Anonymous

    Thank You!

    I spent most of the day trying to solve this issue. In my case I use socat to receive POSTs from my website forms. My build is as follows:
    # Build
    OpenBSD 5.7
    socat (Server side CGI)
    Fire Fox 38.0.5 client

    # Socat Command
    $socat -v openssl-listen:5150,cert=/etc/ssl/private/my.pem,verify=0,reuseaddr,fork OPEN:/var/log/posts.txt,creat,append

    1) Firefox reported this error:
    SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

    2) While socat reported this error:
    socat[30822] E SSL_accept(): error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter

    # Issue:
    Per Firefox support site:

    Seems error is the result of a FF browser patch disabling SSL connections allowing themselves to be downgraded to 512 bit key which can be cracked as seen in the recent “Logjam” exploit:

    Anyway I added the dhparms to my pem file as you suggested and it automagically worked.

    Thanks again!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s