[openssl-users] How to enforce DH field size in the client?

ramahmoo rashid_m180 at yahoo.com
Thu Oct 8 08:10:09 UTC 2015


>>This should be possible via configuration, not just explicit API 
>>calls from applications that go to the extra trouble. 
How is it possible via configuration?

I have seen in s3_clnt.c, openssl check for server dh prime size against a
hardcoded value
 /if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768) 
            || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) { 
            SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_DH_KEY_TOO_SMALL); 
            goto f_err; 
 } /

Why it is not possible to initialize the compared constant key size via some
public method?



--
View this message in context: http://openssl.6102.n7.nabble.com/How-to-enforce-DH-field-size-in-the-client-tp60442p60480.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.


More information about the openssl-users mailing list