[openssl-users] openssl-101m server and openssl-101q client TLS1.2 failure

Matt Caswell matt at openssl.org
Wed Dec 23 16:04:22 UTC 2015



On 23/12/15 15:54, Jayadev Kumar wrote:
> routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3415:

Ah. The above line is the critical bit. This is as a result of the
logjam protections that were part of 1.0.1n. See:
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/

1.0.1m s_server uses DH parameters that are too small by default. You
can generate new ones using:

$ openssl dhparam -out dhparam.pem 2048

Then start s_server using:

$ openssl s_server -msg -dhparam dhparam.pem

You should find that 1.0.1q client can interoperate with the above just
fine.

Matt


More information about the openssl-users mailing list