[openssl-users] Cipher preference, openssl vs browsers

Bogdan Harjoc harjoc at gmail.com
Tue Jul 19 09:16:05 UTC 2016

When connecting to a TLS1.2 webserver that uses a weak 512 bit DH key,
I noticed that browsers select

  (chrome, firefox)

and openssl due to the ciphers list selects


openssl s_client -connect -cipher

The error is: dh key too small:.\ssl\s3_clnt.c:3424.

>From a client that uses openssl libs, what would the correct
workaround be ? Try to figure out that the DH key is too small and
retry with the DHE ciphers disabled ? Or reorder the ciphers ? Given
that cipher order can lead to failed handshakes, is there a correct
order for https clients ?

More information about the openssl-users mailing list