[Pkg-openssl-devel] Bug#907888: Bug#907888: opopenssl: Breaks wpa_supplicant (and NetworkManager) which fail with error "ee key too small"

Kurt Roeckx kurt at roeckx.be
Mon Sep 3 21:24:29 BST 2018


On Mon, Sep 03, 2018 at 06:26:05PM +0200, Gianpaolo Cugola wrote:
> TLS: Got certificate from PKCS12:
> subject='/C=IT/ST=Lombardia/L=Milano/O=Politecnico di Milano/OU=Area
> Sistemi ICT/CN=xxx at xxx.xx'
> TLS: Got private key from PKCS12
> TLS - SSL error: error:140C618F:SSL routines:SSL_use_certificate:ee key too
> small
> OpenSSL: tls_connection_private_key - Failed to load private key
> error:00000000:lib(0):func(0):reason(0)
> TLS: Failed to load private key '/home/cugola/wifiCert_nopass.p12'
> TLS: Failed to set TLS connection parameters

The fix it to tell your administrator to use 2048 (or more) bit
keys. I assume there are certificates on both sides, so they both
need to get replaced.

You can work around this issue by putting something like this in
your config file:
openssl_ciphers=DEFAULT at SECLEVEL=1

But you really should use a certificate with a stronger key.


Kurt



More information about the Pkg-openssl-devel mailing list