Jira (PDB-4728) create dh key is too small

5 views
Skip to first unread message

Blue Umbrella (Jira)

unread,
May 10, 2020, 9:45:03 PM5/10/20
to puppe...@googlegroups.com
Blue Umbrella created an issue
 
PuppetDB / Bug PDB-4728
create dh key is too small
Issue Type: Bug Bug
Affects Versions: PDB 6.10.1
Assignee: Unassigned
Created: 2020/05/10 6:44 PM
Priority: Normal Normal
Reporter: Blue Umbrella

ran "puppetdb ssl-setup" and then tried to verify the SSL connectivity after doing "systemctl start puppetdb" (centos 8.1). (there is no "CentOS 8" in either agent-os or master-os.)

openssl's s_client program reports that the DH key is too small and fails to verify the certificate, e.g:

  1. openssl s_client -connect puppetdb:8081
    CONNECTED(00000003)
    Can't use SSL_get_servername
    depth=0 CN = host.name
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 CN = host.name
    verify error:num=21:unable to verify the first certificate
    verify return:1
    140169246222144:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:ssl/statem/statem_clnt.c:2150:

    Certificate chain
    0 s:CN = host.name
    i:CN = Puppet CA: host.name

    Server certificate
    ----BEGIN CERTIFICATE----

...

----END CERTIFICATE----
subject=CN = host.name

issuer=CN = Puppet CA: host.name


No client certificate CA names sent

SSL handshake has read 2607 bytes and written 306 bytes
Verification error: unable to verify the first certificate

New, (NONE), Cipher is (NONE)
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: 5EB8A662CB4DC70C91FF81A0B2EFD7F1960DF94CFA4FCD953751EEF586F5DD86
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1589159522
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes

Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Austin Blatt (Jira)

unread,
Jun 2, 2020, 2:24:04 PM6/2/20
to puppe...@googlegroups.com
Austin Blatt commented on Bug PDB-4728
 
Re: create dh key is too small

I believe this an issue with Java 8, upgrading to Java 11 should solve the issue. Also adding the following java arg in Java 8 should work as well -Djdk.tls.ephemeralDHKeySize=2048

Reply all
Reply to author
Forward
0 new messages