Hello, most probably the problem is on the server side:
openssl s_client -connect www.p-mat.sk:443 -tls1 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = p-mat.sk verify return:1 139797750867776:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:ssl/statem/statem_clnt.c:2157: It seems their DH params are too small. What are the possibilities to overcome the problem on squid side? The only one I am currently aware of is making exception on ssl bump. Thanks Marek 2021-02-15 19:56 GMT+01:00, Marek Greško <mgres...@gmail.com>: > Hello, > > I am struggling with "ERROR: negotiating TLS on FD 53: > error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small > (1/-1/0)" error when ssl bumping. > > I cannot find out where the problem liesand why is the key too small. > I regenerated my dhparams with openssl dhparam -outform PEM -out > dhparam.pem 4096. > > http_port 3128 ssl-bump \ > generate-host-certificates=on \ > dynamic_cert_mem_cache_size=4MB \ > cert=/**********************/bump-ca.crt \ > key=/**********************/bump-ca.key \ > tls-dh=/etc/squid/dhparam.pem > > ssl_bump peek step1 > ssl_bump bump bumped_group !bank_dom > ssl_bump splice all > > I use recent Fedora 33 packages. > > I observe the issue when connecting to https://www.p-mat.sk as a bumped > user. > > Thanks for any help. > > Marek > _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users