SSL3: "dh key too small" with news.tweaknews.eu

Get help with all aspects of SABnzbd
Forum rules
Help us help you:
  • Are you using the latest stable version of SABnzbd? Downloads page.
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Post Reply
BrokenClockwork
Newbie
Newbie
Posts: 2
Joined: June 14th, 2015, 5:55 am

SSL3: "dh key too small" with news.tweaknews.eu

Post by BrokenClockwork »

After updating from Ubuntu 14.04 to 14.10 (later to 15.04) I am getting now this error when connecting to my Usenet server via SSL:
[Errno 111] Failed to connect: [('SSL routines', 'SSL3_CHECK_CERT_AND_ALGORITHM', 'dh key too small')]-1@news.tweaknews.eu:443
dh refers to the Diffie-Hellman key. I would assume this is related to the Logjam vulnerability, but how can I fix this? I assume this needs to be fixed inside Sabnzbd, generate a new key. But I don't know how.

Thanks in advance,
BrokenClockwork
Top
User avatar
sander
Release Testers
Release Testers
Posts: 9429
Joined: January 22nd, 2008, 2:22 pm

Re: SSL3: dh key too small

Post by sander »

FWIW: I can reproduce it on my Ubuntu 15.04 with SABnzbd 0.8.x git version (and SABnzbd 0.7.20) and python 2.7.9

Code: Select all

2015-06-14 15:44:59,446::INFO::[downloader:399] 1@news.tweaknews.eu: Initiating connection
2015-06-14 15:44:59,562::INFO::[newswrapper:241] Failed to connect: [('SSL routines', 'SSL3_CHECK_CERT_AND_ALGORITHM', 'dh key too small')] 1@news.tweaknews.eu:443
My dpkg.log:

Code: Select all

sander@superstreamer:/var/log$ cat dpkg.log | grep libssl | grep upgrade
2015-06-12 16:38:55 upgrade libssl-doc:all 1.0.1f-1ubuntu11.1 1.0.1f-1ubuntu11.4
2015-06-12 16:38:59 upgrade libssl-dev:amd64 1.0.1f-1ubuntu11.1 1.0.1f-1ubuntu11.4
2015-06-12 16:39:00 upgrade libssl1.0.0:amd64 1.0.1f-1ubuntu11.1 1.0.1f-1ubuntu11.4
So an upgrade on 2015-06-12 (two days ago)?

Synaptic shows this information for libssl:

Code: Select all

openssl (1.0.1f-1ubuntu11.4) vivid-security; urgency=medium

  * SECURITY IMPROVEMENT: reject dh keys smaller than 768 bits
OK, clear.

So isn't this a problem on the side of tweaknews? My SSL to sslreader.eweka.nl works sucesfully.
Top
User avatar
sander
Release Testers
Release Testers
Posts: 9429
Joined: January 22nd, 2008, 2:22 pm

Re: SSL3: dh key too small

Post by sander »

And, yes, the problem is on the side of news.tweaknews.eu. At least that's how I interpret this: https://weakdh.org/sysadmin.html says for news.tweaknews.eu:

Code: Select all

Warning! This site uses weak Diffie-Hellman parameters. Your site is vulnerable to attack and may stop working in Chrome, Firefox, Safari, and Internet Explorer with upcoming patches. You need to generate new, 2048-bit Diffie-Hellman parameters.
IP	Connected	TLS	Insecure DHE_EXPORT	DHE	Chrome
176.124.71.34			No	Insecure Parameters (short-bit)	Insecure Parameters (short-bit)
So contact them?
Image
Top
User avatar
sander
Release Testers
Release Testers
Posts: 9429
Joined: January 22nd, 2008, 2:22 pm

Re: SSL3: "dh key too small" with news.tweaknews.eu

Post by sander »

I contacted Tweaknews. Their answer:
We have updated our certificate. A recent update caused SSL connections to fail on certain systems. Please try again. Our apologies for any inconvenience.
I checked news.tweaknews.eu via https://weakdh.org/sysadmin.html, and it says "2048-bits". Good.
I checked in SABnzbd, and no error anymore. Good.

So it seems Tweaknews has solved their DH problem.
Top
Post Reply

Return to “General Help”