[openssl-users] Working with large DH parameters

jack seth bird_112 at hotmail.com
Tue Apr 28 14:26:25 UTC 2015

Ok I have been doing some experiments with OpenVPN and I can connect using 10000 bit DH parameters.  Any bigger than that up to at least 13824 I get the following 'modulus too large' error on the client log:

TLS_ERROR: BIO read tls_read_plaintext error: error:05066067:Diffie-Hellman routines:COMPUTE_KEY:modulus too large: error:14098005:SSL routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:DH lib
Wed Apr 22 07:08:58 2015 TLS Error: TLS object -> incoming plaintext read error
Wed Apr 22 07:08:58 2015 TLS Error: TLS handshake failed

Something interesting/weird also happened.  I tried to test 10001, 10002, and 10004 bit DH to find the exact place I would get the 'modulus too large' error.  But the server log reported the DH parameters being 10008 instead.  I did a test at 15104 that gave the same error but then I tried two more times and the client just sat at the 'initial packet point' like it does with the 16384 bit parameters.  So somewhere between 13824 and 16384 it switches between the error above and just sitting there 'frozen'.

Questions: 1. Can the modulus error be cured?  2. Do you think the same modulus error is going on when the client appears to freeze with parameters larger than 13824 or is something else going (i.e. why does it freeze instead of giving the 'modulus error')?  3. Why does the server log report 10001, 10002, 10004 bit DH as 10008? 		 	   		  

More information about the openssl-users mailing list