DH key too small
Over the past two years various systems have increased their "default" security requirements.
This resulted in errors such as
dh key too small
ee key too small
ca md too weak
showing up as messages or in log files.
While increasing security requirements is a "good thing", it does mean that some upgrades cause things to stop working. A client system that used to think a server system was "secure" stops working because the server does not meet the upgraded client's new idea of what "secure" means.
The "right answer" is for that server to upgrade to more modern and safer security. Let them know they should do this. Have them google their server/software name (e.g. "google cloudSQL") and "DH key too small". They can use Qualsys SSL Labs and sslscan to verify security.
But if the server won't upgrade and the client needs to still work with it, the client will have to relax their idea of "secure". Here's a quick idea how to do this for various clients:
- Centos 8
-
(specifically causing unable to send email problems)
sudo update-crypto-policies --set LEGACY
and reboot
This changes the default system crypto policy in /etc/crypto-policies/config (see that file for some documentation on this). Switching to LEGACY from DEFAULT changes settings in several files found in the /etc/crypto-policies/ directory tree.
If anyone contacts us with information on how to set security levels for other clients not listed here we will add that info to this page.