I am connecting to my database Google Cloud SQL via SSL. I use codeigniter 3.0 to do so, although the mysqli driver is a bit modified to allow this functionality.
It's been working well for months. However it just started to return this warning:
Message: mysqli::real_connect(): SSL operation failed with code 1. OpenSSL Error messages: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
DH Key is too small is the main problem, but I have no idea what that means. I've googled Diffie–Hellman key exchange, along with the message "key too small" but I haven't had much luck.
Is this a sign that the keys on the server have been tampered with? I've checked the last-modified dates on them -- no abnormal recent access.
It could be that my server did some upgrading to PHP or their server configuration, which may result in this breaking, but I wanted to check and make sure that it wasn't something else.
Thanks for any insight / readable material on the subject.
Best How To :
... error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
The error number you are interested in is the OpenSSL error 0x14082174.
SSL3_CHECK_CERT_AND_ALGORITHM is usually seen when enabling export grade ciphers. It may be showing up again in non-export grade negotiations due to Logjam (see below).
I'm assuming DH Key is too small is the main problem, but I have no idea what that means. I've googled Diffie–Hellman key exchange, along with the message "key too small" but I haven't had much luck.
That's due to the recent Logjam attack from the paper Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice.
You should use 2048-bit Diffie-Hellman groups or larger. You should not be using 512-bit or 1024-bit Diffie-Hellman groups.
The first thing to check for is your cipher list string. It should be similar to:
It will avoid the export grade ciphers, and use modern ciphers. But you will also need to ensure your DH callback is not using a weak/small field size. For that, you need to check the server configuration.
I seem to recall
wget rejected small groups quite some time before the paper was released. It might make a good test case for your site.
There's also an improved sslscan, which tests for lots of things. That might make a good QA tool, too.