[openssl-users] How to enforce DH field size in the client?

ramahmoo rashid_m180 at yahoo.com
Thu Oct 8 08:10:09 UTC 2015

>>This should be possible via configuration, not just explicit API 
>>calls from applications that go to the extra trouble. 
How is it possible via configuration?

I have seen in s3_clnt.c, openssl check for server dh prime size against a
hardcoded value
 /if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768) 
            || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) { 
            goto f_err; 
 } /

Why it is not possible to initialize the compared constant key size via some
public method?

View this message in context: http://openssl.6102.n7.nabble.com/How-to-enforce-DH-field-size-in-the-client-tp60442p60480.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

More information about the openssl-users mailing list