Ubuntu
tcltls package

"dh key too small" after updating to latest openssl package

Bug #1464626 reported by Doug Burks
44
This bug affects 9 people
Affects Status Importance Assigned to Milestone
tcltls (Debian)
Fix Released
Unknown
tcltls (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I maintain Ubuntu 12.04 packages for Sguil (http://sguil.net), which is written in tcl/tk. After installing the recent openssl updates (libssl1.0.0 1.0.1-4ubuntu5.31), the Sguil client reports:

Error: SSL channel "sock4": error: dh key too small

This error message seems related to this:

"As a security improvement, this update also modifies OpenSSL behaviour to
reject DH key sizes below 768 bits, preventing a possible downgrade
attack."

http://www.ubuntu.com/usn/usn-2639-1/

I did "apt-get source tcltls" and, based on quick review, it seems that tls.c is using DH512.

Is this going to be updated to 768 or higher?

Thanks!

Tags: weakdh
Revision history for this message
Doug Burks (doug-burks) wrote :

Also found this bug at the upstream tcltls project:
http://sourceforge.net/p/tls/bugs/59/

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in tcltls (Ubuntu):
status: New → Confirmed
Seth Arnold (seth-arnold)
tags: added: weakdh
Bug Watch Updater (bug-watch-updater)
Changed in tcltls (Debian):
status: Unknown → New
Revision history for this message
Jorge Mota (jomimota) wrote :

I have the same problem here.
I can't send mail to a smtp relay via postfix smtp.

mail.log:

postfix/smtp[4255]: warning: TLS library problem: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3339:
postfix/smtp[4255]: 9015A402985: Cannot start TLS: handshake failure

Revision history for this message
Allan (wallanedwards) wrote :

I have a node.js app that accesses mariadb via ssl. Before I updated ubuntu a few weeks ago everything ran fine. In fact, the node.js code runs correctly on windows and mac but on Linux I get the following now. I am assuming this bug is the cause?

events.js:72
        throw er; // Unhandled 'error' event
              ^
Error: 140298345338752:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3339:

    at SlabBuffer.use (tls.js:232:18)
    at CleartextStream.read [as _read] (tls.js:452:29)
    at CleartextStream.Readable.read (_stream_readable.js:320:10)
    at EncryptedStream.write [as _write] (tls.js:366:25)
    at doWrite (_stream_writable.js:223:10)
    at writeOrBuffer (_stream_writable.js:213:5)
    at EncryptedStream.Writable.write (_stream_writable.js:180:11)
    at Socket.Connection._startTLS
    at Socket.EventEmitter.emit (events.js:95:17)
    at Socket.stream.pause.paused (_stream_readable.js:746:14)

Revision history for this message
Andre (andresavva) wrote :

OpenVPN also fails to connect after update

TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

Revision history for this message
Jack (jagandecapri) wrote :

Facing this same bug too.

I couldn't connect to remote MariaDB database using SSL connection.
PHP codes connecting to remote db also does not work.

Revision history for this message
Jack (jagandecapri) wrote :

I am facing this bug too.

I couldn't connect to remote database and PHP code also does not work.

Revision history for this message
Holger (holger-jakobs) wrote :

This is a very serious and urgent problem as it prevents vital communication.

Bug Watch Updater (bug-watch-updater)
Changed in tcltls (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.