SSL Error during OAuth2

This post

about it has been closed, but I still encounter this problem in version

2.4.0.beta8

It´s happening during oauth2 authentication

Excon::Error::Socket (SSL_connect returned=1 errno=0 state=error: dh key too small (OpenSSL::SSL::SSLError))
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/ssl_socket.rb:125:in `connect_nonblock'

Last 14 lines of backtrace:

/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/ssl_socket.rb:125:in `connect_nonblock'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/ssl_socket.rb:125:in `initialize'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/connection.rb:455:in `new'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/connection.rb:455:in `socket'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/connection.rb:116:in `request_call'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/middlewares/mock.rb:56:in `request_call'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/middlewares/instrumentor.rb:34:in `request_call'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/middlewares/idempotent.rb:19:in `request_call'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/middlewares/base.rb:22:in `request_call'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/middlewares/base.rb:22:in `request_call'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/connection.rb:270:in `request'
/var/www/discourse/plugins/discourse-oauth2-basic/plugin.rb:127:in `fetch_user_details'
/var/www/discourse/plugins/discourse-oauth2-basic/plugin.rb:164:in `after_authenticate'
/var/www/discourse/app/controllers/users/omniauth_callbacks_controller.rb:37:in `complete'

Cheers,

Julian

It doesn’t affect email in this case, but the explanation I gave in the topic you linked stays the same. The connection to the OAuth2 server fails because the DH key is too small and therefore considered insecure by OpenSSL.

You can apply the following temporary workaround, but increasing the DH key size on the OAuth2 server is the only solution.

2 Likes

sorry, I forgot … now the bad thing … it doesn´t work for me anymore …
I made the mentioned changes to /etc/ssl/openssl.cnf

[system_default_sect]
MinProtocol = TLSv1.2
#CipherString = DEFAULT@SECLEVEL=2

Then i left the container and did a

docker restart app

Afterwards I still got the same error in error logs

Didn´t say the truth, sorry… there error is not the same now:

Faraday::ConnectionFailed (Connection reset by peer - SSL_connect)
/usr/local/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock’

Very strange :frowning: … I just tried it again, and again this

“Oops, The software powering this discussion forum encountered an unexpected problem. We apologize for the inconvenience…”

came up … Then I "F5"´ved a few times (out of frustration :slight_smile: ) and suddenly the screen changed to

Sorry, there was an error authorizing your account. Please try again.

Then I had to log in again over my oauth2 provider log in site, and then came the “Ops …” again, and after another F5 I was in …

Uhmm… either I found a serious security problem, or it´s just about timing …

Probably the latter …

What timeouts are there, that I could try to adjust ?

Thanks and cheers!