github-starred/barrier

Fork 0

mirror of https://github.com/debauchee/barrier.git synced 2026-05-15 14:16:02 -06:00

[GH-ISSUE #126] SSL Key to Small?? #97

New issue

Closed

opened 2026-05-05 05:14:56 -06:00 by gitea-mirror · 11 comments

gitea-mirror commented

2026-05-05 05:14:56 -06:00

Owner

Originally created by @liamsgotgenes on GitHub (Sep 7, 2018).
Original GitHub issue: https://github.com/debauchee/barrier/issues/126

I installed barrier on both my desktop and laptop, both running Debian sid. Install went perfectly, but I seem to have a problem using the application itself. On the server log, I keep on receiving

ERROR: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

On the client the log says:

ERROR: ssl error occurred (system call failure) ERROR: failed to connect to a secure socket

This happens regardless of which machines is server/client.
Any ideas what this means and the solution?

Using OpenSSL 1.1.1 if that matters at all.

Originally created by @liamsgotgenes on GitHub (Sep 7, 2018). Original GitHub issue: https://github.com/debauchee/barrier/issues/126 I installed barrier on both my desktop and laptop, both running Debian sid. Install went perfectly, but I seem to have a problem using the application itself. On the server log, I keep on receiving `ERROR: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small` On the client the log says: `ERROR: ssl error occurred (system call failure) ERROR: failed to connect to a secure socket` This happens regardless of which machines is server/client. Any ideas what this means and the solution? Using `OpenSSL 1.1.1` if that matters at all.

gitea-mirror closed this issue

2026-05-05 05:15:00 -06:00

gitea-mirror commented

2026-05-05 05:15:04 -06:00

Author

Owner

@liamsgotgenes commented on GitHub (Sep 7, 2018):

I have gotten it to work by disabling SSL on barrier but this is not the ideal solution, if anyone has any idea, let me know!

@liamsgotgenes commented on GitHub (Sep 7, 2018): I have gotten it to work by disabling SSL on barrier but this is not the ideal solution, if anyone has any idea, let me know!

gitea-mirror commented

2026-05-05 05:15:05 -06:00

Author

Owner

@walker0643 commented on GitHub (Sep 7, 2018):

I'm not able to reproduce this error for myself, but after a small bit of research (see https://weakdh.org/) I believe bumping the SSL cert key size is a good idea regardless. Please reopen if this issue comes back. Thanks!

@walker0643 commented on GitHub (Sep 7, 2018): I'm not able to reproduce this error for myself, but after a small bit of research (see https://weakdh.org/) I believe bumping the SSL cert key size is a good idea regardless. Please reopen if this issue comes back. Thanks!

gitea-mirror commented

2026-05-05 05:15:09 -06:00

Author

Owner

@andreysm commented on GitHub (Jun 26, 2019):

I've encountered this problem with the latest version.

Built v2.2.0 (master) from sources both on Mac and Linux.
Server: Debian Linux (testing)
Client: MacOS Mojave 10.14.5

Error:
[2019-06-26T18:40:19] INFO: OpenSSL 1.1.1c 28 May 2019
[2019-06-26T18:33:10] DEBUG1: openSSL : compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-of5rlU/openssl-1.1.1c=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
[2019-06-26T18:33:10] DEBUG1: openSSL : built on: Thu May 30 15:27:48 2019 UTC
[2019-06-26T18:33:10] DEBUG1: openSSL : platform: debian-amd64
[2019-06-26T18:40:19] ERROR: could not use ssl certificate
[2019-06-26T18:40:19] ERROR: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

@andreysm commented on GitHub (Jun 26, 2019): I've encountered this problem with the latest version. Built v2.2.0 (master) from sources both on Mac and Linux. Server: Debian Linux (testing) Client: MacOS Mojave 10.14.5 Error: [2019-06-26T18:40:19] INFO: OpenSSL 1.1.1c 28 May 2019 [2019-06-26T18:33:10] DEBUG1: openSSL : compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-of5rlU/openssl-1.1.1c=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2 [2019-06-26T18:33:10] DEBUG1: openSSL : built on: Thu May 30 15:27:48 2019 UTC [2019-06-26T18:33:10] DEBUG1: openSSL : platform: debian-amd64 [2019-06-26T18:40:19] ERROR: could not use ssl certificate [2019-06-26T18:40:19] ERROR: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

gitea-mirror commented

2026-05-05 05:15:12 -06:00

Author

Owner

@andreysm commented on GitHub (Jun 26, 2019):

Found workaround:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907888

It is just a matter of editing file /etc/ssl/openssl.cnf changing last line
from:
CipherString = DEFAULT@SECLEVEL=2
to
CipherString = DEFAULT@SECLEVEL=1

@andreysm commented on GitHub (Jun 26, 2019): Found workaround: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907888 > It is just a matter of editing file /etc/ssl/openssl.cnf changing last line > from: > CipherString = DEFAULT@SECLEVEL=2 > to > CipherString = DEFAULT@SECLEVEL=1

gitea-mirror commented

2026-05-05 05:15:14 -06:00

Author

Owner

@ghost commented on GitHub (Sep 24, 2019):

that works for me, but now I feel less secure? 😟

@ghost commented on GitHub (Sep 24, 2019): that works for me, but now I feel less secure? :worried:

gitea-mirror commented

2026-05-05 05:15:17 -06:00

Author

Owner

@rustyx commented on GitHub (Nov 7, 2019):

... but now I feel less secure? 😟

Of course. Don't lower SECLEVEL, use a longer key instead. In case of RSA, using a key of 2048 bits or more will suppress the "ee key too small" error.

"ee key too small" basically means your private key is too small and potentially insecure.

@rustyx commented on GitHub (Nov 7, 2019): > > ... but now I feel less secure? 😟 Of course. Don't lower `SECLEVEL`, use a longer key instead. In case of **RSA**, using a key of **2048 bits** or more will suppress the `"ee key too small"` error. `"ee key too small"` basically means your private key is too small and potentially insecure.

gitea-mirror commented

2026-05-05 05:15:19 -06:00

Author

Owner

@zwessels commented on GitHub (May 5, 2020):

... but now I feel less secure? worried

Of course. Don't lower SECLEVEL, use a longer key instead. In case of RSA, using a key of 2048 bits or more will suppress the "ee key too small" error.

"ee key too small" basically means your private key is too small and potentially insecure.

@rustyx any ideas how to resolve this issue if you still get it after you have confirmed that you are using 2048 bits with RSA?

@zwessels commented on GitHub (May 5, 2020): > > ... but now I feel less secure? worried > > Of course. Don't lower `SECLEVEL`, use a longer key instead. In case of **RSA**, using a key of **2048 bits** or more will suppress the `"ee key too small"` error. > > `"ee key too small"` basically means your private key is too small and potentially insecure. @rustyx any ideas how to resolve this issue if you still get it **after** you have confirmed that you are using 2048 bits with RSA?

gitea-mirror commented

2026-05-05 05:15:22 -06:00

Author

Owner

@baxi commented on GitHub (May 29, 2020):

Changed

MinProtocol = TLSv1.2
to
MinProtocol = TLSv1.1

and it solved my problem

@baxi commented on GitHub (May 29, 2020): Changed > MinProtocol = TLSv1.2 to > MinProtocol = TLSv1.1 and it solved my problem

gitea-mirror commented

2026-05-05 05:15:24 -06:00

Author

Owner

@simons-public commented on GitHub (May 29, 2020):

@baxi This was resolved by 9e2fbe2 before version 2.2.0. Which version of Barrier are you using?

@simons-public commented on GitHub (May 29, 2020): @baxi This was resolved by 9e2fbe2 before version 2.2.0. Which version of Barrier are you using?

gitea-mirror commented

2026-05-05 05:15:27 -06:00

Author

Owner

@sxgrn commented on GitHub (Aug 20, 2021):

I had this problem and found [https://wiki.archlinux.org/title/Barrier] that helped me get past the problem. In my case I needed to:

openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ~/.local/share/barrier/SSL/Barrier.pem -out ~/.local/share/barrier/SSL/Barrier.pem

openssl x509 -fingerprint -sha1 -noout -in ~/.local/share/barrier/SSL/Barrier.pem > ~/.local/share/barrier/SSL/Fingerprints/Local.txt

sed -e "s/.*=//" -i ~/.local/share/barrier/SSL/Fingerprints/Local.txt

@sxgrn commented on GitHub (Aug 20, 2021): I had this problem and found [https://wiki.archlinux.org/title/Barrier] that helped me get past the problem. In my case I needed to: `openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ~/.local/share/barrier/SSL/Barrier.pem -out ~/.local/share/barrier/SSL/Barrier.pem` `openssl x509 -fingerprint -sha1 -noout -in ~/.local/share/barrier/SSL/Barrier.pem > ~/.local/share/barrier/SSL/Fingerprints/Local.txt` `sed -e "s/.*=//" -i ~/.local/share/barrier/SSL/Fingerprints/Local.txt`

gitea-mirror commented

2026-05-05 05:15:33 -06:00

Author

Owner

@yourrams commented on GitHub (Jun 27, 2022):

If you are using RHEL 8 & above, Steps to resolve.

update-crypto-policies --show

update-crypto-policies --set DEFAULT

reboot

@yourrams commented on GitHub (Jun 27, 2022): If you are using RHEL 8 & above, Steps to resolve. update-crypto-policies --show update-crypto-policies --set DEFAULT reboot

No labels

Rows
Columns