search

jfromaniello / selfsigned

Generate self-signed certificates from node.js
MIT License
237 stars 53 forks source link

SSL routines:SSL_CTX_use_certificate:ee key too small #33

Open Einstein42 opened 5 years ago

Einstein42 commented 5 years ago

https://github.com/jfromaniello/selfsigned/blob/7bd58764439eee6198895338fd2f6e388f5833d0/index.js#L113

    var opts = {
        keySize: 2048,
        algorithm: 'sha256',
        days: 365 * 10,
        clientCertificate: true,
        clientCertificateCN: 'client_name'
      }

var pems = await selfsigned.generate(attrs, opts)

Trying use the client certificate to connect to the server. In this case MQTT.JS connecting to AEDES.

On debian I receive the error message

Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

OpenSSL 1.1.1d 10 Sep 2019

Only way around it is to modify: /etc/ssl/openssl.cnf and change:

CipherString = DEFAULT@SECLEVEL=2 to CipherString = DEFAULT@SECLEVEL=1

I believe the issue is the referenced issue above and generating the client certificates as 1024 bit. SECLEVEL=2 requires minimum of 2048 bit.

Expose a option for clientCertificateKeySize just like you use keySize for the server side and that should satisfy the requirements. That or just use keySize for both would be fine as well.

blahah commented 4 years ago

For modern implementations the keySize should default to 2048 anyway, and as you rightly point out should be applied to both keys.

PR incoming...

euneuber commented 3 years ago

I had this error with OpenSSL 1.1.1j (2021-02-16) because of private key size is only 1024 bit as default.

Please increase the default private key size to 2048 bit!