OpenCA error – Too Short Symmetric Keylength [Solution]

Updated on March 5, 2018

In continuation to our articles on OpenCA, today I got an error “Aborting connection – you are using a too short symmetric keylength()” while accessing RA interface. This tutorial will explain how to fix the same.

Too Short Symmetric Keylength

Solution: Too Short Symmetric Keylength

The above error occurs when the symmetric key length specified in <openca_install_dir>/etc/access_control/ra.xml is shorter. In my case, the it was ‘128'.

<openca>
 <access_control>
 <channel>
 <type>mod_ssl</type>
 <protocol>ssl</protocol>
 <source>.*</source>
 <asymmetric_cipher>.*</asymmetric_cipher>
 <asymmetric_keylength>0</asymmetric_keylength>
 <symmetric_cipher>.*</symmetric_cipher>
 <symmetric_keylength>128</symmetric_keylength>
 </channel>

However, this link says that the symmetric_keylength should be equal or greater than 128 and the same can be verified by clicking the SSL padlock in the address bar of the browser.

To solve this error, you may set the symmetric_keylength to '.*' or something higher than 128 and ensure that the web server is exporting the right KEYSIZE. To do that, copy and paste the below line in ssl.conf or http.conf

SSLOptions +StdEnvVars +ExportCertData

You need to restart the web server.

# systemctl restart httpd

That’s it!

Was this article helpful?

Related Articles

Leave a Comment