Exception [SSL: DH_KEY_TOO_SMALL] dh key too small

[robsonware]

Hello, first at all, thanks for this amazing tool!

Guys, I'm having problems with DH_KEY_TOO_SMALL. I'm try to generate another one key inside container.

sudo docker exec -it otterwiki-otterwiki-1 bash

then

openssl dhparam -out dhparam.pem 2048

But e-mail sender still not working.

I'm using for now in localhost, but I'll deploy to production after resolve this e-mail issue.

The docker logs from otterwiki container:

*** Starting uWSGI 2.0.21-debian (64bit) on [Tue Jan  2 14:48:03 2024] ***
compiled with version: 12.2.0 on 19 May 2023 13:59:29
os: Linux-5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023
nodename: fcef598b0594
machine: x86_64
clock source: unix
pcre jit disabled
detected number of CPU cores: 8
current working directory: /
writing pidfile to /tmp/uwsgi.pid
detected binary path: /usr/bin/uwsgi-core
chdir() to /app
your memory page size is 4096 bytes
detected max file descriptor number: 1048576
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
uwsgi socket 0 bound to UNIX address /tmp/uwsgi.sock fd 3
setgid() to 33
setuid() to 33
Python version: 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0]
PEP 405 virtualenv detected: /opt/venv
Set PythonHome to /opt/venv
Python main interpreter initialized at 0x7f77c477c018
python threads support enabled
your server socket listen backlog is limited to 100 connections
your mercy for graceful operations on workers is 5 seconds
mapped 145840 bytes (142 KB) for 1 cores
*** Operational MODE: single process ***
WSGI app 0 (mountpoint='') ready in 1 seconds on interpreter 0x7f77c477c018 pid: 11 (default app)
spawned uWSGI master process (pid: 11)
spawned uWSGI worker 1 (pid: 16, cores: 1)
running "unix_signal:15 gracefully_kill_them_all" (master-start)...
2024-01-02 14:48:05,229 INFO success: quit_on_failure entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
172.25.0.1 - - [02/Jan/2024:14:48:06 +0000] "GET /-/admin HTTP/1.1" 200 13997 "http://localhost:8080/-/admin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0" "-"
[2024-01-02 14:48:24,025] ERROR in helper: send_async_email(): Exception [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:992)
172.25.0.1 - - [02/Jan/2024:14:48:24 +0000] "POST /-/admin HTTP/1.1" 302 238 "http://localhost:8080/-/admin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0" "-"
172.25.0.1 - - [02/Jan/2024:14:48:24 +0000] "GET /-/admin HTTP/1.1" 200 14233 "http://localhost:8080/-/admin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0" "-"

All e-mail setup is correct, others systems and containers works properly.

My docker-compose.yml file:

version: '3'
services:
  otterwiki:
    image: redimp/otterwiki:latest
    restart: unless-stopped
    ports:
      - 8080:80
    volumes:
      - ./app-data:/app-data

[shangri26199]

could you please check the tls version of your mailserver and report back the output with:

openssl s_client -starttls smtp -crlf -connect mailserver.domain.tld:25

[redimp]

Hey @robsonware, happy that you like using An Otter Wiki.

The problem you are observing, is the mail client trying to send the email. It is reporting a problem with the server. The client here is An Otter Wiki using Flask-Mail, which is using the python smtplib.

Since your other systems are working with your mailserver, please double check that you have picked the correct Mail Server Port and Mail Security, e.g. port 465 with SSL or port 25 with TLS, or port 587 with TLS and report it back here.

If it is the case, that your mail server is the problem, you could path the /etc/ssl/openssl.cnf in the otterwiki image, but I would recommend to update the mailserver, soon.

[robsonware]

Hey guys.

Thanks for the quick response.

@shangri26199 I don't have access to the email server, it is a department from another institution that provides the email sending service for the company where I work.

@redimp I checked and tested other port configurations but the error persists. If I try other configurations other than port 587 + TLS it returns the same error or "Error: [Errno 113] No route to host"

The strange thing is that in other applications written in PHP, GO, JAVA or Node, all emails are sent normally. However, another application written in Ruby (Zammad) had the same error, but the Zammad implementation project was abandoned and this problem remained in limbo.

But you can close this issue, apparently the problem is with the mailserver, I will check if they can update it.

Thank you very much.

[shangri26199]

Hey @robsonware,

you can check this from any machine with the openssl package installed. If running the containers on a linux host (or WSL as your log suggests) you can check the emailserver from this host too.

[robsonware]

@shangri26199 ok, the output for openssl s_client -starttls smtp -crlf -connect smtp.xxx.xxx:587 is:

CONNECTED(00000003)
depth=3 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=2 C = BE, O = GlobalSign nv-sa, CN = Trusted Root TLS CA SHA256 G3
verify return:1
depth=1 C = BR, O = XXXXXXXXXXXXXXXXXXXX - RNP, CN = RNP ICPEdu OV SSL CA 2019
verify return:1
depth=0 C = BR, ST = Rio de Janeiro, L = Rio de Janeiro, O = XXXXXXXXXXXXXXXXXXXX, CN = *.XXXXXXXXXXXXXXXXXXXX.br
verify return:1
40D7AD2CAA7F0000:error:0A00018A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2086:
---
Certificate chain
 0 s:C = BR, ST = Rio de Janeiro, L = Rio de Janeiro, O = XXXXXXXXXXXXXXXXXXXX, CN = *.XXXXXXXXXXXXXXXXXXXX.br
   i:C = BR, O = Rede Nacional de Ensino e Pesquisa - RNP, CN = RNP ICPEdu OV SSL CA 2019
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul  4 13:37:06 2023 GMT; NotAfter: Aug  4 12:51:12 2024 GMT
 1 s:C = BR, O = Rede Nacional de Ensino e Pesquisa - RNP, CN = RNP ICPEdu OV SSL CA 2019
   i:C = BE, O = GlobalSign nv-sa, CN = Trusted Root TLS CA SHA256 G3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul  5 00:00:00 2020 GMT; NotAfter: May 15 00:00:00 2026 GMT
 2 s:C = BE, O = GlobalSign nv-sa, CN = Trusted Root TLS CA SHA256 G3
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul  5 00:00:00 2020 GMT; NotAfter: Apr 25 11:00:00 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGyTCCBbGgAwIBAgIMcHs8Wv1rOyE7gtr2MA0GCSqGSIb3DQEBCwUAMGQxCzAJ
BgNVBAYTAkJSMTEwLwYDVQQKEyhSZWRlIE5hY2lvbmFsIGRlIEVuc2lubyBlIFBl
c3F1aXNhIC0gUk5QMSIwIAYDVQQDExlSTlAgSUNQRWR1IE9WIFNTTCBDQSAyMDE5
MB4XDTIzMDcwNDEzMzcwNloXDTI0MDgwNDEyNTExMlowgYYxCzAJBgNVBAYTAkJS
MRcwFQYDVQQIEw5SaW8gZGUgSmFuZWlybzEXMBUGA1UEBxMOUmlvIGRlIEphbmVp
cm8xMTAvBgNVBAoTKFVuaXZlcnNpZGFkZSB...==
-----END CERTIFICATE-----
subject=C = BR, ST = Rio de Janeiro, L = Rio de Janeiro, O = XXXXXXXXXXXXXXXXXXXX, CN = *.XXXXXXXXXXXXXXXXXXXX.br
issuer=C = BR, O = Rede Nacional de Ensino e Pesquisa - RNP, CN = RNP ICPEdu OV SSL CA 2019
---
No client certificate CA names sent
---
SSL handshake has read 5016 bytes and written 354 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1704300938
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Some informations was masked with XXXXXXXXXXXXXXXXXXXX. Certificate is truncated.

[shangri26199]

Looks like the issuee is comming from the mailserver, see

40D7AD2CAA7F0000:error:0A00018A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2086:

you should report this to whoever is running the server and give additional information like https://weakdh.org/ . as this could surely be fixed on changing the way how mails are written, i don't think that's the proper way.

[redimp]

Good luck with poking the mailservers department! A useful tool is https://testssl.sh/, perhaps this will give your request more emphasis.

Since this is not a otterwiki issue, I close this issue.