Bug#907788: marked as done ("dh key too small" since openssl upgrade)

Wed, 03 Oct 2018 15:06:22 -0700 

Your message dated Wed, 3 Oct 2018 22:55:30 +0100
with message-id <[email protected]>
and subject line Re: Bug#907788: "dh key too small" since openssl upgrade
has caused the Debian Bug report #907788,
regarding "dh key too small" since openssl upgrade
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
907788: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907788
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: curl
Version: 7.61.0-1
Since openssl upgrade to 1.1.1~~pre9-1, curl is not able anymore to do requests to some sites. For example: 

% curl https://www.credit-cooperatif.coop/
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

It used to work with curl, and it still works with wget (which uses gnutls).

I suspect it's related to #907015.

--- End Message ---
--- Begin Message --- 
On Sat, Sep 29, 2018 at 06:33:02PM +0200, Sebastian Andrzej Siewior wrote:
> control: unblock 907015 by 907788
> 
> On 2018-09-02 09:59:11 [+0200], VA wrote:
> > Since openssl upgrade to 1.1.1~~pre9-1, curl is not able anymore to do
> > requests to some sites. For example:
> > 
> > % curl https://www.credit-cooperatif.coop/
> > curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
> > 
> > It used to work with curl, and it still works with wget (which uses gnutls).
> > 
> > I suspect it's related to #907015.
> 
> I would close that if I were the curl maintainer. The remote site in the
> example uses a small DH key [0]. If you can't get owner to upgrade the
> site and want still to access the site I suggest to remove
>       CipherString = DEFAULT@SECLEVEL=2
> from /etc/ssl/openssl.cnf.
> 
> [0] https://www.ssllabs.com/ssltest/analyze.html?d=www.credit-cooperatif.coop

Attachment: signature.asc
Description: PGP signature


--- End Message ---

Reply via email to