This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL certificate verify result: EE certificate key too weak (66), continuing anyway.

Hi,

 

We have SLL inspection enabled on Web filtering and one of our Linux users gets that error message when downloading using curl

Proxy CA cert was generated this year so i don't know why it says it's too weak.

Can i just re-generate and re-deploy the cert to the endpoints?

Some info from the console:

 

$ curl https://dl-ssl.google.com/linux/linux_signing_key.pub 
curl: (60) SSL certificate problem: EE certificate key too weak
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
 
 
$ curl -k -v https://dl-ssl.google.com/linux/linux_signing_key.pub 
* Trying 74.125.193.190...
* TCP_NODELAY set
* Connected to dl-ssl.google.com (74.125.193.190) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=*.google.com
* start date: May 3 10:56:47 2018 GMT
* expire date: Jun 23 10:56:47 2021 GMT
* issuer: C=**; L=******; O=*****; CN=******* Proxy CA; emailAddress=***@*******.com
* SSL certificate verify result: EE certificate key too weak (66), continuing anyway.
> GET /linux/linux_signing_key.pub HTTP/1.1
> Host: dl-ssl.google.com
> User-Agent:


This thread was automatically locked due to age.