Test-case fixed to use newer SSL certificates which fixes this issue.

Note: the galera-* certs were added in 2014/2015.  They were trying to fix a "DH params too small" error, and appended the DH params to the cert.  Six years later and the 512-bit DH params are being rejected.

I noticed that ubuntu uses socat 1.7.3.2 (openssl 1.1.1c).  Centos8 uses socat 1.7.3.2 (openssl 1.1.1c FIPS)

So I don't think this is an urgent issue.  The question is what do we want to do these rare certs.  We can detect if certs have the dhparams embedded and just error out if the sizes are too small, probably good as a precaution anyway.

The fix is to check the certs to see if they contain the dhparams and if the dhparams are >= 2048 bits.  If not, we have to supply/generate the dhparams file ourselves.

The test uses galera-cert.pem and galera-key.pem.  socat(v1.7.3.2) on Centos8 returns an error (note: using socat v.1.7.3.2 on ubuntu does not return an error).

Using the galera docs to generate the certs, this error does not appear.  So it seems this error is particular to these certs.

Fix is to use the server-cert.pem and server-key.pem for the tests.

Things that fix this:

(1) Change the certs to use server-key.pem and server-cert.pem

(2) Add the dhparam parameter to the socat call.