I have an Ubuntu 16.04 server that runs the bip IRC proxy. Until recently, I was happily accessing bip from an Ubuntu 18.04 laptop. However, when I upgraded my laptop to Ubuntu 20.04, xchat refused to connect. This post describes how I fixed that.

The Error

xchat would display the following:

Connection failed. Error: (337260938) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

Apparently the version of OpenSSL in Ubuntu 20.04 refuses to connect to servers that use DH parameters that are too small. xchat uses OpenSSL to connect to TLS-enabled servers. The ideal fix would be to configure bip to use larger or custom DH parameters. However, the version of bip in Ubuntu 16.04 doesn’t allow this; it generates the DH parameters internally with no way to override them:-(

The Fix

Instead of terminating the TLS session using bip itself, I reconfigured bip to listen on a different port on localhost in plain-text, and installed stunnel4 to terminate the TLS session and proxy it to bip.

Bip Configuration

Original /etc/bip.conf:

ip = "0.0.0.0";
port = 8667;
client_side_ssl = true;
client_side_ssl_pem = "/etc/ssl/current/avon.wwwdotorg.org.key-and-crt";

New /etc/bip.conf:

ip = "127.0.0.1";
port = 8668;
client_side_ssl = false;

To restart it:

service bip restart

Stunnel Configuration

Create /etc/stunnel/wdo.conf:

[bip]
accept = 8667
connect = 127.0.0.1:8668
cert = /etc/ssl/current/avon.wwwdotorg.org.crt-and-bundle
key = /etc/ssl/current/avon.wwwdotorg.org.key

To install stunnel:

sudo apt install stunnel4

To enable it, edit /etc/default/stunnel4:

Original:

ENABLED=0

Modified:

ENABLED=1

To enable and stunnel:

sudo systemctl enable stunnel4 # May be the default?
sudo service stunnel4 start