[openssl-users] libssl.so.1.0.0 -> Java1.6 net.ssl gives: dh key too small:s3_clnt.c:3617:
Matthias Apitz
guru at unixarea.de
Thu Aug 25 14:21:44 UTC 2016
Hello,
We have a C written OpenSSL application which talks to a server written
in Java1.6. The client side (i.e. OpenSSL) rejects connecting with the
error:
25.08.2016-10:58:06 Error - SSL_connect() returned:<-1> - connection failed
25.08.2016-10:58:06 SSL_get_error() returned SSL_ERROR_SSL, ERR_print_errors_fp():
4087322300:error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small:s3_clnt.c:3617:
I read in Don Google that is due to a stronger check in OpenSSL since
somewhere in September 2015. The problem is of course with the old Java 1.6
server and does not show up when we talk to a newer version of our
server runninng on Java1.8. It works also with 1.6 when I use on the C
side some older shared lib libssl.so.1.0.0 from Januar 2015, i.e. it
seems exactly the bug as described in
https://groups.google.com/forum/#!topic/ganeti/ds0TwfroS8A :
The used keystore is generated with the Java keytool. It does not help
generate the keystore with Java1.8 keytool and use this in the Java1.6
server.
Is there some workaround?
Thanks
matthias
--
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045
More information about the openssl-users
mailing list