Debian 10 cURL error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
Después de actualizar cURL ya no es posible descargar datos de ciertos sitios, en el log de PHP aparece una larga lista:
Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 1 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 1 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 1 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 1 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 1 ms for 1 (transfer 0x5566aa0c0630)
* Trying 192.168.121.121...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5566aa0c0630)
* Connected to www.sitewebumnmillon.com (09218.1212.1212.12) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
Se debe borrar o comentar la opción
CipherString = DEFAULT@SECLEVEL=2
al final del documento en
/etc/ssl/openssl.cnf
como se describe en el bugtracker
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907788
Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 0 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 1 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 1 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 2 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 1 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 1 ms for 1 (transfer 0x5566aa0c0630)
* Expire in 1 ms for 1 (transfer 0x5566aa0c0630)
* Trying 192.168.121.121...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5566aa0c0630)
* Connected to www.sitewebumnmillon.com (09218.1212.1212.12) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
Se debe borrar o comentar la opción
CipherString = DEFAULT@SECLEVEL=2
al final del documento en
/etc/ssl/openssl.cnf
como se describe en el bugtracker
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907788
Comentarios