[Operators] dh key size too small -- DH key sizes less than 2048 bits rejected by OpenSSL in Debian stable

Jonas Schäfer jonas at wielicki.name
Thu Aug 8 17:23:01 UTC 2019


Dear list,

Here a quick heads up: DH groups with less than 2048 bits are rejected by 
OpenSSL as shipped with Debian stable. This poses interop issues for domains 
which do have such groups (e.g. jabber.org, jabber.ru).

Please check your service configuration for the DH group size.

I think the error can only be seen from within XMPP on the side with the 
stricter settings ("dh key size too small"), while for the other side it 
probably looks just like a timeout because the error happens before dialback 
or anything can happen.

kind regards,
Jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.jabber.org/pipermail/operators/attachments/20190808/c6dfdb52/attachment.sig>


More information about the Operators mailing list