[SOLVED] ssl3_ctx_ctrl: dh key too small


New Member
Mar 3, 2019
After upgrading to 5.3 I can no longer log into the gui, and have the following error in the syslog with each attempt:
Mar  3 18:56:37 REDACTED pveproxy[3525]: dh params schmorp1539: failed to set DH parameters at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 622.
Mar  3 18:56:37 REDACTED pveproxy[3525]: problem with client; ssl3_ctx_ctrl: dh key too small
Mar  3 18:56:37 REDACTED pveproxy[3525]: dh params schmorp1539: failed to set DH parameters at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 622.
Mar  3 18:56:37 REDACTED pveproxy[3525]: problem with client; ssl3_ctx_ctrl: dh key too small

previously was running 5.2, and followed the standard apt update, upgrade, dist-upgrade, reboot cycle.

Anything obvious I'm missing?

# pveversion -v
proxmox-ve: 5.3-1 (running kernel: 4.15.18-11-pve)
pve-manager: 5.3-11 (running version: 5.3-11/d4907f84)
pve-kernel-4.15: 5.3-2
pve-kernel-4.15.18-11-pve: 4.15.18-34
pve-kernel-4.15.18-1-pve: 4.15.18-19
pve-kernel-4.15.17-1-pve: 4.15.17-9
corosync: 2.4.4-pve1
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.1-3
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-47
libpve-guest-common-perl: 2.0-20
libpve-http-server-perl: 2.0-11
libpve-storage-perl: 5.0-38
libqb0: 1.0.3-1~bpo9
lvm2: 2.02.168-pve6
lxc-pve: 3.1.0-3
lxcfs: 3.0.3-pve1
novnc-pve: 1.0.0-2
openvswitch-switch: 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-10
proxmox-widget-toolkit: 1.0-22
pve-cluster: 5.0-33
pve-container: 2.0-34
pve-docs: 5.3-3
pve-edk2-firmware: 1.20181023-1
pve-firewall: 3.0-17
pve-firmware: 2.0-6
pve-ha-manager: 2.0-6
pve-i18n: 1.0-9
pve-libspice-server1: 0.14.1-2
pve-qemu-kvm: 2.12.1-2
pve-xtermjs: 3.10.1-1
qemu-server: 5.0-46
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.12-pve1~bpo1
Firefox generally or Chrome. Tried both on my phone this morning (was using pc before) and also had same issues.

Firefox reports "Login failed. Please try again"
Chrome reports "Login failed. Please enter the correct credentials"

I can log in fine through command line on the same machine and also over ssh.
what is the content of /etc/default/pveproxy (if it exists)
/etc/default/pveproxy doesn't exist. Naively tried to create one with default parameters but didn't make a difference. Didn't get far enough to try excluding DH cyphers from the available list.

Not sure if related, but before updating to 5.3 I was installing nginx on a vm - though I don't see how that would have affected it as it was a vm (not a container).

I may end up just reinstalling proxmox again from scratch.
That's odd because the default cipher-list (which can only be overridden with /etc/default/pveproxy) contains no ciphers with DH key exchange...
and the default dh-group for pveproxy is 'skip2048'

EDIT: Took a look at the exact code-location where you got the error reported - and this seems like it's more related to the proxy_requests (between nodes and also to the privileged pvedaemon) instead of a client<-> pveproxy problem

In any case I couldn't reproduce the problem with a fully uptodate pve 5.3:
* do you have any particular apt-sources configured (please post your '/etc/apt/sources.list' and '/etc/apt/sources.list.d/*list')?
* please also post the output `dpkg -l|grep -i ssl`
* is this a cluster or a single node?

Last edited:
Your notes were just enough to lead me down the path to fixing it. Much appreciated!

Documentating for posterity:

Previously in /etc/apt/sources.list I was pulling in unstable packages (which I believe to be Sid in this case).
deb http://ftp.debian.org/debian unstable main contrib non-free
But when updating to 5.3 I cleared out any unnecessary entries from the source list.

Looking at the output of dpkg, and comparing against the debian package lists, I could see I wasn't on the stable branch
# dpkg -l|grep -i ssl
ii  libcrypt-openssl-bignum-perl         0.07-2                                  amd64        Perl module to access OpenSSL multiprecision integer arithmetic libraries
ii  libcrypt-openssl-random-perl         0.11-1+b3                               amd64        module to access the OpenSSL pseudo-random number generator
ii  libcrypt-openssl-rsa-perl            0.28-5                                  amd64        module for RSA encryption using OpenSSL
ii  libcrypt-ssleay-perl                 0.73.04-2                               amd64        OpenSSL support for LWP
ii  libcurl4:amd64                       7.62.0-1                                amd64        easy-to-use client-side URL transfer library (OpenSSL flavour)
ii  libflac8:amd64                       1.3.2-3                                 amd64        Free Lossless Audio Codec - runtime C library
ii  libgnutls-openssl27:amd64            3.6.6-2                                 amd64        GNU TLS library - OpenSSL wrapper
ii  libio-socket-ssl-perl                2.044-1                                 all          Perl module implementing object oriented interface to SSL sockets
ii  libnet-ssleay-perl                   1.80-1                                  amd64        Perl module for Secure Sockets Layer (SSL)
ii  libssl1.0.0:amd64                    1.0.1t-1+deb8u9                         amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.0.2:amd64                    1.0.2r-1~deb9u1                         amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.1:amd64                      1.1.1b-1                                amd64        Secure Sockets Layer toolkit - shared libraries
ii  openssl                              1.1.1b-1                                amd64        Secure Sockets Layer toolkit - cryptographic utility
ii  perl-openssl-defaults:amd64          3                                       amd64        version compatibility baseline for Perl OpenSSL packages
ii  python3-openssl                      16.2.0-1                                all          Python 3 wrapper around the OpenSSL library
ii  ssl-cert                             1.0.39                                  all          simple debconf wrapper for OpenSSL

Following a couple of guides, Adam Margherio (blog) and Bill West (SO), I was able to downgrade from Sid to Stretch.
# cat /etc/apt/preferences.d/stretch_stable
Package: *
Pin: release a=stable
Pin-Priority: 1001

# apt-get update
# apt-get upgrade
# apt-get dist-upgrade

There was a lot (408!) packages downgraded. I don't know if adding the unstable branch back into the sources list would it have also resolved the issue by updating whatever package was causing issues? Either way, I'm now on the stable branch and able to log into the gui again.
I inserted a buster main and buster-updates, which I think are causing me the same login issue you had. can you supply the steps you took to uninstall the unstable updates and get your system going again, my sites are up, but can't login to GUI
I follow your instructions, but this interface appears, I dare not continue to operate


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!