After being abruptly awakened on Saturday morning at 4am (nightly cron job for yum updates), we found that an upstream RHEL/CentOS update had changed the minimum acceptable length of DH keys to 768 bits.

The initial alarm which alerted us to this was from the Nagios check_smtp plugin against our mail platform, which reported “Cannot make SSL connection”, with extended info of:

SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3304"

Subsequently, we also discovered that our MySQL replication (over SSL) broke at the same time.

Fixes documented below:

Sendmail (RHEL/CentOS5)

Turns out the default sendmail installation uses < 768bit DH keys for TLS. To fore a large DH key, it’s necessary to manually generate one, using:

openssl dhparam -out /etc/mail/ssl/dhparam.pem -2 1024

And then add the following to


Run “cd /etc/mail && make”, followed by “service sendmail restart” to apply.


Whatever MySQL’s default cipher is, doesn’t support > 512bit DH keys. At the advice of, I added the following to /etc/my.cnf


And ran “service mysqld restart” to apply the changes

You’ve successfully subscribed to 🧑‍💻 Funky Penguin
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.