In continuation to our articles on OpenCA, today I got an error “Aborting connection – you are using a too short symmetric keylength()” while accessing RA interface. This tutorial will explain how to fix the same.
Solution: Too Short Symmetric Keylength
The above error occurs when the symmetric key length specified in <openca_install_dir>/etc/access_control/ra.xml is shorter. In my case, the it was ‘128'.
<openca> <access_control> <channel> <type>mod_ssl</type> <protocol>ssl</protocol> <source>.*</source> <asymmetric_cipher>.*</asymmetric_cipher> <asymmetric_keylength>0</asymmetric_keylength> <symmetric_cipher>.*</symmetric_cipher> <symmetric_keylength>128</symmetric_keylength> </channel>
However, this link says that the symmetric_keylength should be equal or greater than 128 and the same can be verified by clicking the SSL padlock in the address bar of the browser.
To solve this error, you may set the symmetric_keylength to '.*' or something higher than 128 and ensure that the web server is exporting the right KEYSIZE. To do that, copy and paste the below line in ssl.conf or http.conf
SSLOptions +StdEnvVars +ExportCertData
You need to restart the web server.
# systemctl restart httpd
That’s it!
