[openssl-users] openssl-101m server and openssl-101q client TLS1.2 failure
Matt Caswell
matt at openssl.org
Wed Dec 23 16:04:22 UTC 2015
On 23/12/15 15:54, Jayadev Kumar wrote:
> routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3415:
Ah. The above line is the critical bit. This is as a result of the
logjam protections that were part of 1.0.1n. See:
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
1.0.1m s_server uses DH parameters that are too small by default. You
can generate new ones using:
$ openssl dhparam -out dhparam.pem 2048
Then start s_server using:
$ openssl s_server -msg -dhparam dhparam.pem
You should find that 1.0.1q client can interoperate with the above just
fine.
Matt
More information about the openssl-users
mailing list