SSL Key to Small??

[liamsgotgenes]

I installed barrier on both my desktop and laptop, both running Debian sid. Install went perfectly, but I seem to have a problem using the application itself. On the server log, I keep on receiving

ERROR: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

On the client the log says:

ERROR: ssl error occurred (system call failure) ERROR: failed to connect to a secure socket

This happens regardless of which machines is server/client.
Any ideas what this means and the solution?

Using OpenSSL 1.1.1 if that matters at all.

[liamsgotgenes]

I have gotten it to work by disabling SSL on barrier but this is not the ideal solution, if anyone has any idea, let me know!

[walker0643]

I'm not able to reproduce this error for myself, but after a small bit of research (see https://weakdh.org/) I believe bumping the SSL cert key size is a good idea regardless. Please reopen if this issue comes back. Thanks!

[andreysm]

I've encountered this problem with the latest version.

Built v2.2.0 (master) from sources both on Mac and Linux.
Server: Debian Linux (testing)
Client: MacOS Mojave 10.14.5

Error:
[2019-06-26T18:40:19] INFO: OpenSSL 1.1.1c 28 May 2019
[2019-06-26T18:33:10] DEBUG1: openSSL : compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-of5rlU/openssl-1.1.1c=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
[2019-06-26T18:33:10] DEBUG1: openSSL : built on: Thu May 30 15:27:48 2019 UTC
[2019-06-26T18:33:10] DEBUG1: openSSL : platform: debian-amd64
[2019-06-26T18:40:19] ERROR: could not use ssl certificate
[2019-06-26T18:40:19] ERROR: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

[andreysm]

Found workaround:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907888

It is just a matter of editing file /etc/ssl/openssl.cnf changing last line
from:
CipherString = DEFAULT@SECLEVEL=2
to
CipherString = DEFAULT@SECLEVEL=1

[victort]

that works for me, but now I feel less secure? 😟

[rustyx]

... but now I feel less secure? 😟

Of course. Don't lower SECLEVEL, use a longer key instead. In case of RSA, using a key of 2048 bits or more will suppress the "ee key too small" error.

"ee key too small" basically means your private key is too small and potentially insecure.

[zwessels]

... but now I feel less secure? worried

Of course. Don't lower SECLEVEL, use a longer key instead. In case of RSA, using a key of 2048 bits or more will suppress the "ee key too small" error.

"ee key too small" basically means your private key is too small and potentially insecure.

@rustyx any ideas how to resolve this issue if you still get it after you have confirmed that you are using 2048 bits with RSA?

[baxi]

Changed

MinProtocol = TLSv1.2
to
MinProtocol = TLSv1.1

and it solved my problem

[simons-public]

@baxi This was resolved by 9e2fbe2 before version 2.2.0. Which version of Barrier are you using?

[sxgrn]

I had this problem and found [https://wiki.archlinux.org/title/Barrier] that helped me get past the problem. In my case I needed to:

openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ~/.local/share/barrier/SSL/Barrier.pem -out ~/.local/share/barrier/SSL/Barrier.pem

openssl x509 -fingerprint -sha1 -noout -in ~/.local/share/barrier/SSL/Barrier.pem > ~/.local/share/barrier/SSL/Fingerprints/Local.txt

sed -e "s/.*=//" -i ~/.local/share/barrier/SSL/Fingerprints/Local.txt

[yourrams]

If you are using RHEL 8 & above, Steps to resolve.

update-crypto-policies --show

update-crypto-policies --set DEFAULT

reboot