Regression #16421
closed
OpenVPN servers will not start with DH parameters < 2048
100%
Description
On current Plus 25.11 and CE 2.9.0 snapshots, OpenVPN servers will not start if they have a DH parameter size of 1024 in the configuration:
<dh_length>1024</dh_length>
A recent upstream change in OpenSSL appears to have enacted a new lower limit for security:
Sep 9 14:23:39 openvpn 86194 OpenSSL: error:0A00018A:SSL routines::dh key too small: Sep 9 14:23:39 openvpn 86194 SSL_CTX_set0_tmp_dh_pkey Sep 9 14:23:39 openvpn 86194 Exiting due to fatal error
We need some upgrade code to bump those to 2048 (or higher) on all server instances.
We also need to remove the 1024 choice from the drop-down and remove the file with the 1024 DH material and so on.
In the meantime those testing snapshots can edit the server and choose a DH value >= 2048.
Updated by aleksei prokofiev 13 days ago
Tested on
25.11-BETA (amd64)
built on Tue Oct 28 18:38:00 UTC 2025
FreeBSD 16.0-CURRENT
I can confirm this behavior.
ct 31 10:22:07 openvpn 26250 OpenSSL: error:0A00018A:SSL routines::dh key too small:
Oct 31 10:22:07 openvpn 26250 SSL_CTX_set0_tmp_dh_pkey
Oct 31 10:22:07 openvpn 26250 Exiting due to fatal error
Updated by Marcos M 3 days ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 799ec00952c0057d44f77024c2081ce0ff48a28d.
Updated by Jim Pingle about 20 hours ago
- Status changed from Feedback to Resolved
Looks good here now:
- GUI option for 1024 is gone
- The file with 1024 DH parameter data is no longer present
- The configuration is changed on upgrade if needed
- When the configuration is changed, a notice is filed letting the user know about the change