SSL routines:SSL_CTX_use_certificate:ee key too small

[Einstein42]

selfsigned/index.js

Line 113 in 7bd5876

var clientkeys = forge.pki.rsa.generateKeyPair(1024);

    var opts = {
        keySize: 2048,
        algorithm: 'sha256',
        days: 365 * 10,
        clientCertificate: true,
        clientCertificateCN: 'client_name'
      }

var pems = await selfsigned.generate(attrs, opts)

Trying use the client certificate to connect to the server. In this case MQTT.JS connecting to AEDES.

On debian I receive the error message

Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

OpenSSL 1.1.1d 10 Sep 2019

Only way around it is to modify: /etc/ssl/openssl.cnf and change:

CipherString = DEFAULT@SECLEVEL=2
to
CipherString = DEFAULT@SECLEVEL=1

I believe the issue is the referenced issue above and generating the client certificates as 1024 bit. SECLEVEL=2 requires minimum of 2048 bit.

Expose a option for clientCertificateKeySize just like you use keySize for the server side and that should satisfy the requirements. That or just use keySize for both would be fine as well.

[blahah]

For modern implementations the keySize should default to 2048 anyway, and as you rightly point out should be applied to both keys.

PR incoming...

[euneuber]

I had this error with OpenSSL 1.1.1j (2021-02-16) because of private key size is only 1024 bit as default.

Please increase the default private key size to 2048 bit!