HTTP Server Test Error "dh Key Too Small"
If a ThousandEyes HTTP Server test (or the HTTP Server view of a Page Load test) fails with an SSL error and the message:
routines:ssl3_check_cert_and_algorithm:dh key too small
the web server that performed TLS negotiation with the ThousandEyes Agent was configured with a Diffie-Hellman group that is cryptographically weak. Because of the insecure nature of weak Diffie-Hellman groups, many HTTP clients (including ThousandEyes Agents) will refuse to communicate via HTTPS with such a server.
Web servers that have been in service for many years without recent updates, or that have compatibility requirements with very old clients that cannot support newer encryption are most likely to see this error.
In 2015, a cryptographic attack called Logjam demonstrated the possibility of decrypting HTTPS-based communication if the attacker could capture the communications between client and server, such as capturing packets from an intermediate network device that handles the communications. Part of the attack targets encryption schemes based on the Ephemeral Diffie-Hellman (abbreviated as EDH or DHE) keying algorithm, which is designed to create session keys with forward secrecy.
Web servers that use Diffie-Hellman are configured with a precomputed set of prime numbers, called a Diffie-Hellman group. The number that is termed the "size" of the group (the modulus size, specifically) is proportional to the strength of the encryption key that will be created via the Diffie-Hellman calculations--the bigger the group size, the stronger the key. Common group sizes at the time of the attack announcement were 512 bits, 768 bits and 1024 bits.
Group sizes of 512 bits and 768 bits are now considered weak. Generally, 1024 bits is the minimum accepted size but not recommended, and 2048 bits is considered best practice. In particular OpenSSL, the library that provides HTTPS functionality for ThousandEyes and most other HTTP client software, has deprecated 512bit and 768-bit Diffie-Hellman groups. Web servers that attempt TLS negotiations using 512-bit and 768-bit Diffie-Hellman groups will cause OpenSSL-based clients to terminate the TLS negotiation. This includes the client that executes a ThousandEyes HTTP Server test.
To confirm that a test displaying the error message is the result of a server using a weak Diffie-Hellman group, run the openssl command from any system that can contact the server:
openssl s_client -connect www.example.com:443 -cipher "EDH" | grep "Server Temp Key"
and
openssl s_client -connect www.example.com:443 -cipher "DHE" | grep "Server Temp Key"
This output will provide the number of bits in the EDH or DHE cipher's key. The version of the openssl program must be at least 1.0.2b to produce the Server Temp Key output.
Alternatively, a packet capture of the TLS handshake between a client and the server can identify a Diffie-Hellman modulus with too few bits. For the Wireshark packet capture and display program, a display filter of:
ssl.handshake.p_len < 128
will show SSL/TLS handshakes with a modulus (mathematically denoted by the symbol "p") length of fewer than 1024 bits (128 bytes).
Consult your web server documentation for instructions on upgrading the cryptographic libraries that perform TLS negotiation. Server software may or may not be upgradable to libraries that can be compatible with modern clients such as used by ThousandEyes tests while maintaining the weak ciphers needed for servicing old clients.
As a reference, below are links to announcements regarding weak Diffie-Hellman ciphers from the makers of common browsers.
Internet RFCs pertaining to commonly used Diffie-Hellman groups: