[Operators] s2s connectivity to jabber.ru -- dh key too small

Holger Weiß holger at zedat.fu-berlin.de
Fri Aug 9 07:12:35 UTC 2019


* Jonas Schäfer <jonas at wielicki.name> [2019-08-08 19:14]:
> I was contacted by someone @jabber.ru, but I cannot reply because the DH key 
> size used by their server for TLS is too small to be accepted by the TLS 
> libraries distributed with Debian stable.

For what it's worth, the problem is not the OpenSSL library distributed
with Debian (OpenSSL still accepts 512 bit DH keys), but Debian stable's
restrictive default settings in /etc/ssl/openssl.cnf.  Those settings
also enforce TLSv1.2 and accept only a small set of ciphers, for
example.  While this may work for common (HTTP) use cases, it can of
course easily lead to such backward compatibilty issues for us (and
others; there's various related issues in Debian's bug tracker).  On the
Debian systems I maintain, I therefore revert to OpenSSL's upstream
defaults by changing the bottom of /etc/ssl/openssl.cnf to:

	[system_default_sect]
	MinProtocol = None
	CipherString = DEFAULT

I'd prefer if a Linux distribution would only apply changes to upstream
software required for integration with the rest of the operating system,
rather than such policy enforcement ... :-/

Holger


More information about the Operators mailing list