やるきなし

2019/09/04 14:37 / OpenVPN on Debian 10 / OpenSSL: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small

OpenVPN が以下のエラーを吐いて起動しない問題発生.

Sep  1 00:00:30 XXX ovpn-vpn_server[XXXX]: WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Sep  1 00:00:30 XXX ovpn-vpn_server[XXXX]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sep  1 00:00:30 XXX ovpn-vpn_server[XXXX]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
Sep  1 00:00:30 XXX ovpn-vpn_server[XXXX]: PLUGIN_INIT: POST openvpn-plugin-auth-pam.so '[openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 
Sep  1 00:00:30 XXX ovpn-vpn_server[XXXX]: OpenSSL: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small
Sep  1 00:00:30 XXX ovpn-vpn_server[XXXX]: SSL_CTX_set_tmp_dh
Sep  1 00:00:30 XXX ovpn-vpn_server[XXXX]: Exiting due to fatal error

dh key too small ということで,DH 鍵交換(Diffie-Hellman key exchange)のビット数が少なく落ちてしまっている様子.1024ビットで使用していた.以下の通り2048ビットで生成したパラメタファイルを生成し,

% sudo openssl dhparam -out /etc/openvpn/dh2048.pem 2048

/etc/openvpn/hoge.conf 等設定ファイルで dh1024.pem を使っている場合は,以下の通り dh2048.pem に変更.

-dh dh1024.pem
+dh dh2048.pem

Related articles