<div dir="ltr"><div>Thanks Matt.<br><br></div>Jayadev.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 23, 2015 at 9:34 PM, Matt Caswell <span dir="ltr"><<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
On 23/12/15 15:54, Jayadev Kumar wrote:<br>
> routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3415:<br>
<br>
Ah. The above line is the critical bit. This is as a result of the<br>
logjam protections that were part of 1.0.1n. See:<br>
<a href="https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/" rel="noreferrer" target="_blank">https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/</a><br>
<br>
1.0.1m s_server uses DH parameters that are too small by default. You<br>
can generate new ones using:<br>
<br>
$ openssl dhparam -out dhparam.pem 2048<br>
<br>
Then start s_server using:<br>
<br>
$ openssl s_server -msg -dhparam dhparam.pem<br>
<br>
You should find that 1.0.1q client can interoperate with the above just<br>
fine.<br>
<br>
Matt<br>
_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</blockquote></div><br></div>