What is a DH key? #
A Diffie-Hellman (DH) key is a cryptographic method used to securely exchange secret keys over an untrusted network. It allows two parties to independently generate public and private key pairs, share their public keys, and derive a shared secret key without ever transmitting their private keys. This shared secret key can then be used for encryption, ensuring the confidentiality and integrity of communication between the two parties. DH key exchange is a fundamental component of secure communication protocols like SSL/TLS, SSH, and VPNs, offering protection against eavesdropping and ensuring secure data transmission.
What is a ECDHE key? #
On the other hand, ECDHE, or Elliptic Curve Diffie-Hellman Ephemeral, is a cryptographic key exchange method used in secure communication protocols like SSL/TLS to establish a secure and efficient connection between two parties. It leverages elliptic curve cryptography to enable the secure exchange of encryption keys. ECDHE provides Perfect Forward Secrecy by generating ephemeral key pairs for each session, ensuring that even if one session’s key is compromised, it doesn’t compromise the security of other sessions. This method offers a strong level of security with shorter key lengths, making it computationally efficient and well-suited for various applications, including secure web browsing and email encryption.
Steps to analyze the DH key too small error #
Analyzing the error “DH key too small” typically occurs in the context of using cryptographic protocols such as SSL/TLS or SSH and refers to the use of weak or insufficient Diffie-Hellman key sizes for secure key exchange. Let’s review the log messages in RELIANOID Load Balancer.
Jul 27 17:43:20 noid-ee-01 pound: MyHTTPfarm, BIO_do_handshake with:443 failed: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
This error about “DH key too small” is detected when connecting to a certain backend. We can test the SSL connection with the following command:
root@noid-ee-01:~# openssl s_client -connect:443 -servername | grep Temp [...] Server Temp Key: [...]
The Server Temp Key should be 2048 bits for a good secured service, so if the backend DH key is performing too low, this error message about “DH key too small” appears.
By default, the openssl configuration in the load balancer allows a minimum of TLSv1.2 and a SECLEVEL of 2. This is defined in the configuration file /etc/ssl/openssl.cnf.
[system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2
So, in order to fix this issue it is require to harden the ciphers in the backend side, and allow stronger ciphers like “ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES256-SHA“. Please ensure such ciphers are available in your backends secured services.