openvpn – “OpenSSL: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small” after upgrade to Debina Buster

another thing to adjust after upgrade to Buster. on openvpn endpoint that in it’s config – /etc/openvpn/whatever.conf – had: dh dh1024.pem the vpn service did not start.

tail -f /var/log/syslog showed:

Aug 17 04:33:43 xyz ovpn-dialin-https[1472]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
Aug 17 04:33:43 xyz ovpn-dialin-https[1472]: OpenSSL: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small
Aug 17 04:33:43 xyz ovpn-dialin-https[1472]: SSL_CTX_set_tmp_dh
Aug 17 04:33:43 xyz ovpn-dialin-https[1472]: Exiting due to fatal error

apparently the new version of openssl no longer accepts 1024 Diffie Hellman group. solution:

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

and change in /etc/openvpn/whatever.conf – from dh dh1024.pem to dh dh2048.pem

Leave a Reply

Your email address will not be published. Required fields are marked *

 

(Spamcheck Enabled)