[openssl-users] libssl.so.1.0.0 -> Java1.6 net.ssl gives: dh key too small:s3_clnt.c:3617:

Porter, Andrew Andrew_Porter at bmc.com
Thu Aug 25 15:38:38 UTC 2016

There may be other solutions but here are two I've used:

(1) Upgrade the Java the server uses to a recent Java 8. It should run fine. The product I work in is built with the Java 6 development kit but runs without any problems on Java 6 - 8.

(2) Update the server Java 6 to the latest version of 6 with security updates. This is NOT publicly available but is available under support from Oracle. If the server is running on Red Hat Enterprise Linux and has support you are able to get the latest Java 6 through Red Hat by adding a special subscription channel and using the standard system update tools to install/update Oracle Java. Don't know about other operating systems.


-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Matthias Apitz
Sent: Thursday, August 25, 2016 07:22
To: openssl-users at openssl.org
Subject: [openssl-users] libssl.so.1.0.0 -> Java1.6 net.ssl gives: dh key too small:s3_clnt.c:3617:


We have a C written OpenSSL application which talks to a server written in Java1.6. The client side (i.e. OpenSSL) rejects connecting with the

25.08.2016-10:58:06 Error - SSL_connect() returned:<-1> - connection failed
25.08.2016-10:58:06 SSL_get_error() returned SSL_ERROR_SSL, ERR_print_errors_fp():
4087322300:error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small:s3_clnt.c:3617:

I read in Don Google that is due to a stronger check in OpenSSL since somewhere in September 2015. The problem is of course with the old Java 1.6 server and does not show up when we talk to a newer version of our server runninng on Java1.8. It works also with 1.6 when I use on the C side some older shared lib libssl.so.1.0.0 from Januar 2015, i.e. it seems exactly the bug as described in https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_forum_-23-21topic_ganeti_ds0TwfroS8A&d=CwIGaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=rM-xapYCunnmjke6suxLaVU8krc3wfCZvRQxfT87RRc&m=zyF1KGGEdIw5t8MZBZhZYjK_goSnyFnKtB2cxUvFm5Q&s=9It2fqYqL0MrbGps6_nQksmKlroixvU1_OGDrUFtrWQ&e=  :

The used keystore is generated with the Java keytool. It does not help generate the keystore with Java1.8 keytool and use this in the Java1.6 server.

Is there some workaround?



Matthias Apitz, ✉ guru at unixarea.de, ⌂ https://urldefense.proofpoint.com/v2/url?u=http-3A__www.unixarea.de_&d=CwIGaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=rM-xapYCunnmjke6suxLaVU8krc3wfCZvRQxfT87RRc&m=zyF1KGGEdIw5t8MZBZhZYjK_goSnyFnKtB2cxUvFm5Q&s=G05u61yon8Fp-9mwaRO2ujd87dFGPboM4uGXo7IhMIU&e=   ☎ +49-176-38902045
openssl-users mailing list
To unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Dusers&d=CwIGaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=rM-xapYCunnmjke6suxLaVU8krc3wfCZvRQxfT87RRc&m=zyF1KGGEdIw5t8MZBZhZYjK_goSnyFnKtB2cxUvFm5Q&s=bXIMkT6q0xTjcZ6C6_6c9QRue1Na6iyGeDZ20yqzgMo&e= 

More information about the openssl-users mailing list