When launching the Rest API where SSL is enabled, the curl command fails with "dh key too small":

curl -v -f -H "${automicAuth}" ${automicServer}/executions -H "Content-Type:application/json" -d "${desc}"

• Trying IP...

• TCP_NODELAY set

• Connected to HOSTNAME (IP) port 8088 (#0)

• ALPN, offering h2

• ALPN, offering http/1.1

• successfully set certificate verify locations:

• CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

• TLSv1.3 (OUT), TLS handshake, Client hello (1):

• TLSv1.3 (IN), TLS handshake, Server hello (2):

• TLSv1.2 (IN), TLS handshake, Certificate (11):

• TLSv1.2 (IN), TLS handshake, Server key exchange (12):

• TLSv1.2 (OUT), TLS alert, handshake failure (552):

• error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

• Closing connection 0

curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

How can we avoid this error?

Release : 12.x and 21.x

Component: Automation Engine

Scope: Rest API

This error means the JCP SSL setup is vulnerable because it supports small DH keys, and this is getting rejected by "recent" versions of OpenSSL / curl

Workaround:

Explained here, enable the legacy cipher suites on the Linux system where curl command is launched with:

update-crypto-policies --set LEGACY

Solution:

You should setup again the SSL in the JCP regenerating the keystore/certificates of the JCP Rest API and use an updated Java version that block these short cyphers.

The steps are described here