'Node Docker routines:tls_process_ske_dhe:dh key too small
I've been googling this error for the past two days, but none of the solutions seem to help.
I've build a simple NodeJS server that makes an external API call with axios.
const loadCerts() => {
const sslDir: string = join(process.cwd(), 'ssl');
const certFilenames: string[] = readdirSync(sslDir).filter(filename => filename.endsWith('.cer'));
console.log(`Loaded the following SSL certificates: ${certFilenames.join(', ')}`);
return certFilenames.map(filename => readFileSync(`${sslDir}/${filename}`));
}
const httpAgent = new https.Agent({
rejectUnauthorized: false,
ca: loadCerts(),
})
const response = await axios.post(`https://api.company.com`, params, {
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
httpsAgent: this.httpAgent
});
When testing this locally, everything works as expected. However when I deployed this as a Docker image, I started experiencing some strange behaviours. I then tested my docker image locally, and the same behaviour happened.
I'm seeing this obscure error:
Error: write EPROTO 140605946637248:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:ssl/statem/statem_clnt.c:2150:
The error itself doesn't tell me much, Googling only gave me suggestions like upgrade my node version (I'm using v14). I'm using the same node version in my local machine and Docker image.
I suspect this might have something to do with the Docker image itself, am I missing some dependencies there?
EDIT:
In another Java project where I'm using the same API, there's this extra step in the Dockerfile, I'm guessing I need to do something similar for my node Docker image.
RUN sed -i 's/DH keySize < 2048/DH keySize < 1024/g' /etc/crypto-policies/back-ends/java.config
Solution 1:[1]
I solved that issue in my project with 2 steps:
1. Change Docker SSL settings
I edited /etc/ssl/openssl.cnf inside the container
Replace strings:
TLSv1.2 => TLSv1
SECLEVEL=2 => SECLEVEL=1
You can do it by editing Dockerfile, add these 2 lines :
RUN sed -i "s/TLSv1.2/TLSv1/g" /etc/ssl/openssl.cnf && \
sed -i "s/SECLEVEL=2/SECLEVEL=1/g" /etc/ssl/openssl.cnf
P.S.: check your version of TLS and value of SECLEVEL, if they do not match with provided above modify sed command argument
2. Set min TLS version for your request
import * as https from 'https';
const agent = new https.Agent({
rejectUnauthorized: false,
minVersion: 'TLSv1',
});
const response = await axios.post(`<YOUR_URL>`, params, {
httpsAgent: this.httpAgent
});
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 |