This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL certificate verify result: EE certificate key too weak (66), continuing anyway.

Hi,

 

We have SLL inspection enabled on Web filtering and one of our Linux users gets that error message when downloading using curl

Proxy CA cert was generated this year so i don't know why it says it's too weak.

Can i just re-generate and re-deploy the cert to the endpoints?

Some info from the console:

 

$ curl https://dl-ssl.google.com/linux/linux_signing_key.pub 
curl: (60) SSL certificate problem: EE certificate key too weak
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
 
 
$ curl -k -v https://dl-ssl.google.com/linux/linux_signing_key.pub 
* Trying 74.125.193.190...
* TCP_NODELAY set
* Connected to dl-ssl.google.com (74.125.193.190) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=*.google.com
* start date: May 3 10:56:47 2018 GMT
* expire date: Jun 23 10:56:47 2021 GMT
* issuer: C=**; L=******; O=*****; CN=******* Proxy CA; emailAddress=***@*******.com
* SSL certificate verify result: EE certificate key too weak (66), continuing anyway.
> GET /linux/linux_signing_key.pub HTTP/1.1
> Host: dl-ssl.google.com
> User-Agent:


This thread was automatically locked due to age.
Parents
  • Hi Andrzej,

    Do you have Web Filtering in Transparent mode and is it scanning HTTPS?  Has he added the Proxy CA to /etc/ssl/certs?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907518#20

    * Increase default security level from 1 to 2. This moves from the 80
    bit security level to the 112 bit securit level and will require 2048
    bit RSA and DHE keys.

     

    Just checked Proxy CA and it's 1024bits

    Is there any way to generate 2048bits Proxy CA?

  • Yes, Andrzrej, on the 'HTTPS' tab of 'Web Filtering >> Filtering Options', you can [Regenerate] the Proxy CA.  If your UTM is at a high-enough version, it will be 2048 bits.  Note that until you have distributed this new CA to everyone, they will get certificate errors.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Yes, Andrzrej, on the 'HTTPS' tab of 'Web Filtering >> Filtering Options', you can [Regenerate] the Proxy CA.  If your UTM is at a high-enough version, it will be 2048 bits.  Note that until you have distributed this new CA to everyone, they will get certificate errors.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data