[openssl-commits] [openssl] OpenSSL_1_0_1-stable update
Kurt Roeckx
kurt at openssl.org
Sun Jan 10 23:14:43 UTC 2016
The branch OpenSSL_1_0_1-stable has been updated
via f5fc9404c231ed013e31c0284adcacfb0f71b86b (commit)
from ff9cef026633798801780c43a88093a297f0ca32 (commit)
- Log -----------------------------------------------------------------
commit f5fc9404c231ed013e31c0284adcacfb0f71b86b
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sun Jan 10 13:55:08 2016 +0100
Change minimum DH size from 768 to 1024
Reviewed-by: Viktor Dukhovni <openssl-users at dukhovni.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 3 ++-
ssl/s3_clnt.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/CHANGES b/CHANGES
index 915b1f6..23ca912 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,8 @@
Changes between 1.0.1q and 1.0.1r [xx XXX xxxx]
- *)
+ *) Reject DH handshakes with parameters shorter than 1024 bits.
+ [Kurt Roeckx]
Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index af7f8fa..cfa5080 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3417,7 +3417,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
/* Check DHE only: static DH not implemented. */
if (alg_k & SSL_kEDH) {
int dh_size = BN_num_bits(dh->p);
- if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
+ if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 1024)
|| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
goto f_err;
More information about the openssl-commits
mailing list