Socat SSL – SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small

Introduction

I ran into some trouble when trying to get socat working with openssl and DH key sizes being reported too small and this is how I resolved it.

I was running latest Kali 2.0 and tried setting up socat with ssl.

http://www.dest-unreach.org/socat/doc/socat-openssltunnel.html

Generate a client certificate

$ FILENAME=server
$ openssl genrsa -out $FILENAME.key 1024Generate a self signed certificate:
$ openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crtYou will be prompted for your country code, name etc.; you may quit all prompts with the enter key.
$ cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
$ chmod 600 $FILENAME.key $FILENAME.pem

Generate a client certificate

$ FILENAME=client
$ socat openssl-listen:4433,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt echo

$ socat stdio openssl-connect:server.domain.org:4433,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt

Received the following error, SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small.

Solution found here https://groups.google.com/forum/#!topic/ganeti/ds0TwfroS8A

Resolved by adding DH params to my server pem file.

openssl dhparam -out dhparams.pem 2048
cat dhparams.pem >> server.pem
Advertisements

One thought on “Socat SSL – SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small

  1. Anonymous

    Thank You!

    I spent most of the day trying to solve this issue. In my case I use socat to receive POSTs from my website forms. My build is as follows:
    # Build
    OpenBSD 5.7
    httpd
    socat 1.7.2.4p1 (Server side CGI)
    Fire Fox 38.0.5 client

    # Socat Command
    $socat -v openssl-listen:5150,cert=/etc/ssl/private/my.pem,verify=0,reuseaddr,fork OPEN:/var/log/posts.txt,creat,append

    1) Firefox reported this error:
    SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

    2) While socat reported this error:
    socat[30822] E SSL_accept(): error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter

    # Issue:
    Per Firefox support site: https://support.mozilla.org/en-US/questions/1066238

    Seems error is the result of a FF browser patch disabling SSL connections allowing themselves to be downgraded to 512 bit key which can be cracked as seen in the recent “Logjam” exploit: http://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/

    Anyway I added the dhparms to my pem file as you suggested and it automagically worked.

    Thanks again!

    jr

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s