[openssl-users] Working with large DH parameters
jack seth
bird_112 at hotmail.com
Sun May 3 14:07:43 UTC 2015
Can someone offer an opinion on my questions below? Thanks!
> From: bird_112 at hotmail.com
> To: openssl-users at openssl.org
> Subject: Working with large DH parameters
> Date: Tue, 28 Apr 2015 09:26:25 -0500
>
> Ok I have been doing some experiments with OpenVPN and I can connect using 10000 bit DH parameters. Any bigger than that up to at least 13824 I get the following 'modulus too large' error on the client log:
>
> TLS_ERROR: BIO read tls_read_plaintext error: error:05066067:Diffie-Hellman routines:COMPUTE_KEY:modulus too large: error:14098005:SSL routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:DH lib
> Wed Apr 22 07:08:58 2015 TLS Error: TLS object -> incoming plaintext read error
> Wed Apr 22 07:08:58 2015 TLS Error: TLS handshake failed
>
> Something interesting/weird also happened. I tried to test 10001, 10002, and 10004 bit DH to find the exact place I would get the 'modulus too large' error. But the server log reported the DH parameters being 10008 instead. I did a test at 15104 that gave the same error but then I tried two more times and the client just sat at the 'initial packet point' like it does with the 16384 bit parameters. So somewhere between 13824 and 16384 it switches between the error above and just sitting there 'frozen'.
>
> Questions: 1. Can the modulus error be cured? 2. Do you think the same modulus error is going on when the client appears to freeze with parameters larger than 13824 or is something else going (i.e. why does it freeze instead of giving the 'modulus error')? 3. Why does the server log report 10001, 10002, 10004 bit DH as 10008?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150503/8d5da00b/attachment.html>
More information about the openssl-users
mailing list