How to fix the openssl issue "tls_process_ske_dhe:dh key too small" without reducing security

Question

I know that several people asked the same:

How to solve the "tls_process_ske_dhe:dh key too small" error

But I want to really understand why the only solution proposed is to lower the security protocols. Instead of that I would really appreciate someone who can point me out in the right direction to solve this issue without affecting the security level.

I don't want to make this change in /etc/ssl/openssl.cnf on a production server:

MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=1

It's not in production yet, but sooner or later it will be.

A little bit of context:

I am using Guzzle Http to make a GET request in a Laravel stack, using docker.

I'd like to provide more details if it's need to get me in the right direction.

Thanks in advance.

Answer 1

But I want to really understand why the only solution proposed is to lower the security protocols.

This is not the only solution. The best solution is to fix the server so that it does not offer a weak DH key in the first place.

The second best solution is to disable all DH ciphers in the client, so that it does not attempt to use these. This is of course provided that the server supports something better than DH ciphers in the first place, i.e. offers ECDHE key exchange. This will work around the problem by simply not offering DH ciphers to the server and thus not running into the weak DH problem.

Of course, if the server is broken in multiple ways and does not offer modern ciphers and modern protocols and stronger DH keys than there is no way to connect to the server other than using weaker settings.

Answer 2

Just change on that specific connection.

$res = Http::withOptions([
    'curl' => [CURLOPT_SSL_CIPHER_LIST => 'DEFAULT@SECLEVEL=1'],
])->get('your url');