openvpn – “OpenSSL: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small” after upgrade to Debina Buster

by .pQd
tech, unimportant, ,

another thing to adjust after upgrade to Buster. on openvpn endpoint that in it’s config – /etc/openvpn/whatever.conf – had: dh dh1024.pem the vpn service did not start.

tail -f /var/log/syslog showed:

Aug 17 04:33:43 xyz ovpn-dialin-https[1472]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
Aug 17 04:33:43 xyz ovpn-dialin-https[1472]: OpenSSL: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small
Aug 17 04:33:43 xyz ovpn-dialin-https[1472]: SSL_CTX_set_tmp_dh
Aug 17 04:33:43 xyz ovpn-dialin-https[1472]: Exiting due to fatal error

apparently the new version of openssl no longer accepts 1024 Diffie Hellman group. solution:

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

and change in /etc/openvpn/whatever.conf – from dh dh1024.pem to dh dh2048.pem

6 thoughts on “openvpn – “OpenSSL: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small” after upgrade to Debina Buster

  3. Pingback: OpenSSL DH ε―†ι‘°ε€ͺ小錯θͺ€ - 123Stack
  4. Pingback: OpenSSL DH γ‚­γƒΌγŒε°γ•γ™γŽγ‚‹γ‚¨γƒ©γƒΌ - JpStack

Leave a Reply

Your email address will not be published. Required fields are marked *

(Spamcheck Enabled)