You are here

SSL Connection Error: dh key too small

Affects product: 
Airlock WAF
Affects version(s): 

By installing Hotfix HF0012 on Airlock WAF 5.x to update OpenSSL to version 1.0.1t Airlock WAF no longer supports Diffie Hellman (DH) key exchange with DH parameters shorter than 1024 bits. This can cause connection problems with SSL/TLS back-ends, indicated by the following log message on Airlock WAF. Updating to Airlock WAF 6.x can cause the same problem.

m:WR-SG-BACK-502 Communication error (35: SSL connect error; error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small) (errno:0: Success) during backend request

We recommend to update affected back-ends and make sure that DH parameter of at least 1024 bits can be used.

Workaround: Provided that the back-end supports alternative cipher suites, the usage of DH cipher suites can be prevented by the following Security Gate expert setting in the corresponding back-end group.

BackendSSLCipherSuite    "DEFAULT:!DH"

Note that alternative cipher suites will probably not provide forward secrecy protection.

Back-ends running on Java 7 or older

SSL/TLS back-end systems running on Java 7 or older Java versions might be affected by this change because these Java versions do not support 1024 bit DH parameter. Further the described workaround above might not work with Java applications using a DSA private key, because with this key type Java only supports ciphers with a Diffie-Hellman key exchange scheme. In this case we recommend to update the application to Java 8 if SSL/TLS is required for back-end connections or to issue new certificates based on an RSA or EC (elliptic curve) private key.

Knowledge Base Categories: