ECS: DH key too small error appears when trying to connect docker container with port 9021

Summary: OpenSSL with default cipher is unable to negotiate with ECS. A DH key is too small when trying to connect docker with port 9021 error displays.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

 Check whether running OpenSSL from ECS nodes gives by default Cipher: DHE-RSA-AES256-GCM-SHA384

admin@ecsnode1:~> openssl s_client -host ecsnode1.gslabs.lab.emc.com -port 9021 -cipher kEDH
CONNECTED(00000003)
depth=0 C = US, ST = MD, O = Object Storage, OU = Object, CN = *.gslabs.lab.emc.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=MD/O=Object Storage/OU=Object/CN=*.gslabs.lab.emc.com
   i:/C=US/ST=MD/O=Object Storage/OU=Object/CN=*.gslabs.lab.emc.com
---
Server certificate
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
subject=/C=US/ST=MD/O=Object Storage/OU=Object/CN=*.gslabs.lab.emc.com
issuer=/C=US/ST=MD/O=Object Storage/OU=Object/CN=*.gslabs.lab.emc.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2487 bytes and written 349 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: 3AA7A2E63DC4E4D2DC4D5D5A39E2019B27C82A0D3E7F1E57F6503FEA1A572BF7
    Session-ID-ctx:
    Master-Key: 7AF2D9FB150A7B5617E744CE82A4FA358A1C10AE504F313C9F3047599E050758D74D884870256C12A80BFFF3C60B8FB8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1681371380
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Cause

The cipher issue is caused due to a known issue as S3 is enabled by default on the data2 interface.

Resolution

If you see a DH key too small or DHE-RSA-AES256-GCM-SHA384 error blocking ECS access, open a support ticket with this information.

Affected Products

ECS
Article Properties
Article Number: 000212353
Article Type: Solution
Last Modified: 11 Nov 2025
Version:  2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.