SSLError DH_KEY_TOO_SMALL

[johnbradley]

On a linux server using openssl version 1.1.1 we encountered an error when trying to upload a chunk the s3 backend.

requests.exceptions.SSLError: HTTPSConnectionPool(host='..dukes3..', port=443): Max retries exceeded with url: ..download_url.. (Caused by SSLError(SSLError(1, '[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:852)'),))

This problem was also visible just using curl and a docker container with openssl 1.1.1:

$ docker run -it python:3.6.9 curl "..s3url..."
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

We downgraded to an older version of openssl and the problem went away. The problem does not occur with OpenStack Swift backend.

I believe this error is due to openssl changes made to prevent a Logjam attack. More details: https://github.com/Duke-GCB/D4S2/issues/218

[johnbradley]

One possible fix is to disable Diffie-Hellman cipher: https://github.com/Duke-GCB/D4S2/issues/218#issuecomment-518261892

[johnbradley]

This was fixed by a change to the cipher settings for the s3 backend server.