OpenSSL DH Key Too Small Error

by 
... SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small

I have looked in to using LWP and raw Net:SSLeay, but the problem seems to be in the underlying OpenSSL libs.

While it is caused by changes to OpenSSL the problem is actually at the server side. The server is using a weak DH key within the key exchange and recent versions of OpenSSL enforce a non-weak DH key because of the Logjam attack.

If the server supports ciphers which don’t use DH key exchange you can work around the problem by restricting the ciphers offered by the client so that they don’t include any DH ciphers.

my $sock = IO::Socket::SSL->new(..., SSL_cipher_list => 'DEFAULT:!DH' ...);

Apart from that simply disabling any validation like you do is bad:

    ...
    verify_hostname => 0,   
    SSL_verify_mode => SSL_VERIFY_NONE,
    SSL_verifycn_scheme => undef

For one, verify_hostname is not a valid parameter at all (this is for LWP only). Also, you don’t need to set a SSL_verifycn_scheme if you disable validation with SSL_verify_mode since no validation also means no validation of the certificates subject.

But much better than disabling validation would be to use SSL_fingerprint to specify which certificate you expect and thus have a proper check even for self-signed or expired certificates. See common usage errors in the IO::Socket::SSL documentation for more information.

More Related Contents:

  1. Data consolidation using Perl [closed]
  2. How can i do this in perl, shortcut truthtable [closed]
  3. How to retrieve the values of required keys in Perl [closed]
  4. Perl: Meaning of double squared brackets after a string?
  5. What does this HTML::Parser() code do in Perl? [closed]
  6. Why use strict and warnings?
  7. Why does modern Perl avoid UTF-8 by default?
  8. curl: (60) SSL certificate problem: unable to get local issuer certificate
  9. Why is three-argument open calls with autovivified filehandles a Perl best practice?
  10. What’s the difference between Perl’s backticks, system, and exec?
  11. How can I parse dates and convert time zones in Perl?
  12. Which one is good practice, a lexical filehandle or a typeglob?
  13. How do I tell if a variable has a numeric value in Perl?
  14. Perl memory usage profiling and leak detection?
  15. How should I use the “my” keyword in Perl?
  16. Obsolete cryptography warning from Browser
  17. How to install OpenSSL in windows 10?
  18. Global symbol requires explicit package name
  19. How can I store the result of a system command in a Perl variable?
  20. How can I check if a file exists in Perl?
  21. Using Encode::encode with “utf8”
  22. PHPMailer generates PHP Warning: stream_socket_enable_crypto(): Peer certificate did not match expected
  23. OpenSSL: unable to verify the first certificate for Experian URL
  24. How can I start an interactive console for Perl?
  25. What does =~ do in Perl? [closed]
  26. How to convert letters with accents, umlauts, etc to their ASCII counterparts in Perl?
  27. Do you use an exception class in your Perl programs? Why or why not?
  28. How can I extract text from a PDF file in Perl?
  29. What do you get if you evaluate a hash in scalar context?
  30. How do I retrieve the terminal width in Perl?

Leave a Comment