[openssl-users] openssl-101m server and openssl-101q client TLS1.2 failure

Jayadev Kumar jayadev.kumar at gmail.com
Wed Dec 23 16:07:58 UTC 2015


Thanks Matt.

Jayadev.

On Wed, Dec 23, 2015 at 9:34 PM, Matt Caswell <matt at openssl.org> wrote:

>
>
> On 23/12/15 15:54, Jayadev Kumar wrote:
> > routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3415:
>
> Ah. The above line is the critical bit. This is as a result of the
> logjam protections that were part of 1.0.1n. See:
> https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
>
> 1.0.1m s_server uses DH parameters that are too small by default. You
> can generate new ones using:
>
> $ openssl dhparam -out dhparam.pem 2048
>
> Then start s_server using:
>
> $ openssl s_server -msg -dhparam dhparam.pem
>
> You should find that 1.0.1q client can interoperate with the above just
> fine.
>
> Matt
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151223/4a014c46/attachment.html>


More information about the openssl-users mailing list