[openssl-users] Selection of DHE ciphers based on modulus size of DH

Jordan Brown openssl at jordan.maileater.net
Thu Jun 7 15:02:40 UTC 2018

On 6/6/2018 11:22 PM, Sanjaya Joshi wrote:
> >>Current OpenSSL isn't willing to connect to a server using a DH key size
> below 1024 bits.
> Yes, i have verified this. However, not sure, how my OpenSSL-based
> client can do this, as our requirement is that we must not use DH key
> size below 2048 bits.
> >> I'm pretty sure that clients can and do refuse to talk to servers
> with small DH parameters.
> Could you please provide some more clues how a client can do so ?

The 1024-bit DH limit is implemented in the OpenSSL client library.  I
don't know if the calling application has any control or any visibility
onto that decision.

(But note: it's still the client that's making the decision, from the
perspective of the TLS protocol.)

A bit of searching later...

It looks like the key test is here:


             * No EDH keys weaker than 1024-bits even at level 0, otherwise,
             * anything goes.
            if (op == SSL_SECOP_TMP_DH && bits < 80)
                return 0;
            return 1;

and it looks like you can plug in your own function using
SSL_set_security_callback.  I do not understand, however, how the 80
relates to a 1024-bit limit.

Here's the documentation:


Jordan Brown, Oracle Solaris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180607/e083496e/attachment.html>

More information about the openssl-users mailing list