Overview
This error indicates that the SSL/TLS connection failed because the server is using Diffie-Hellman (DH) parameters that are considered too small by modern security standards.
It is most commonly encountered when connecting to servers that still use weak or outdated cryptographic configurations.
What causes this error?
The error occurs when:
- The server uses DH parameters smaller than 2048 bits (commonly 1024-bit)
- The client (OpenSSL, curl, or the HetrixTools monitoring system) enforces modern security policies
- The SSL/TLS handshake is rejected due to insufficient cryptographic strength
Modern OpenSSL versions (1.1.1+ and especially 3.x) reject small DH keys by default for security reasons.
Why is this a problem?
Small DH keys are vulnerable to:
- Precomputation attacks
- Logjam-style attacks
- Reduced forward secrecy strength
Because of these risks, modern clients will refuse to connect rather than downgrade security.
How to fix this issue
Recommended solution (server-side)
The correct fix is to update the server configuration to use stronger DH parameters.
Step 1: Generate strong DH parameters
Run the following command on your server:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048You may optionally use 4096 bits for higher security (with increased CPU cost):
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096Step 2: Configure your web server
For Nginx:
ssl_dhparam /etc/ssl/certs/dhparam.pem;For Apache:
Ensure your SSL configuration references modern ciphers and DH parameters (typically handled automatically when using updated OpenSSL and configurations).
Step 3: Restart your web server
Apply the changes:
systemctl restart nginxor
systemctl restart apache2How HetrixTools reports this error
When HetrixTools encounters this issue during SSL monitoring, it will log the following error in your Location Fail Log:
Error 35: error:0A00018A:SSL routines::dh key too smallThis means the monitored endpoint is using weak DH parameters and should be updated.
Additional notes
- This issue is server-side and must be fixed on the server being monitored
- Updating OpenSSL alone will not fix the problem if the server configuration remains weak
- Most modern web server configurations already avoid this issue by default
Summary
This error is caused by outdated Diffie-Hellman parameters on the server. The only proper fix is to upgrade the server’s SSL configuration to use at least 2048-bit DH keys.