Netonix Forums

Hello,

I'm running Debian Buster on a local server, it comes bundled with OpenSSL 1.1.1. They've restricted some lower strength cyphers now the manager won't start at all.

From crashlog:

Code: Select all

Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
at Object.createSecureContext (_tls_common.js:98:17)
 at Server (_tls_wrap.js:805:25)
 at new Server (https.js:54:14)
 at Object.createServer (https.js:76:10)
 at Object.<anonymous> (/opt/netonix-manager/app.js:729:11)
 at Module._compile (module.js:652:30)
 at Object.Module._extensions..js (module.js:663:10)
 at Module.load (module.js:565:32)
 at tryModuleLoad (module.js:505:12)
 at Function.Module._load (module.js:497:3)
 at Function.Module.runMain (module.js:693:10)
 at startup (bootstrap_node.js:191:16)
 at bootstrap_node.js:612:3
js-bson: Failed to load c++ bson extension, using pure JS version
_tls_common.js:98
 c.context.setCert(options.cert);
 ^
Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
 at Object.createSecureContext (_tls_common.js:98:17)
 at Server (_tls_wrap.js:805:25)
 at new Server (https.js:54:14)
 at Object.createServer (https.js:76:10)
 at Object.<anonymous> (/opt/netonix-manager/app.js:729:11)
 at Module._compile (module.js:652:30)
 at Object.Module._extensions..js (module.js:663:10)
 at Module.load (module.js:565:32)
 at tryModuleLoad (module.js:505:12)
 at Function.Module._load (module.js:497:3)
 at Function.Module.runMain (module.js:693:10)
 at startup (bootstrap_node.js:191:16)
 at bootstrap_node.js:612:3
js-bson: Failed to load c++ bson extension, using pure JS version
_tls_common.js:98
 c.context.setCert(options.cert);
 ^


Had sometime to look into this more...

I first started by creating my own ssl certs for the webserver, that got it up and working. I could not fix this error though:

Device 'netonixtest' (192.168.1.1) changed state to Offline: Error: write EPROTO 139734254202880:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2159:

I restored the original Netonix keys and commented out the following two lines in /etc/ssl/openssl.cnf.

MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

Netonix Manager now starts... not the best fix, as this leaves insecure ciphers open. Hopefully this helps with getting this fixed in a later version. Debian 10 and whatever distribution in the future adopts OpenSSL 1.1.1 will cause this to break.

Dear Netonix, how many more months will it take to get a proper fix for this bug ?

Some of the work required for the new switches coming out has slowed down focus in other area's. But I am working on a new release on the Netonix Manager now and I will add this to the list. Thank you for the troubleshooting you have done on it - it will be helpful.