Boost SSL-Server fails with SSLv3-error

Question

I am programming a "Terminal" in C++ to which a client can connect using SSL to encrypt the connection. I use Boost::asio to handle the sockets and SSL.

I am starting the SSL-Context like this:

boost::asio::ssl::context context_(io_service_, boost::asio::ssl::context::tlsv1);

As you can see, I set the SSL-Version to TLSv1.

This are the context-options:

context_.set_options(boost::asio::ssl::context::default_workarounds
                        | boost::asio::ssl::context::no_sslv2
                        | boost::asio::ssl::context::single_dh_use);

    context_.use_certificate_chain_file("CERTS/server.crt");
    context_.use_private_key_file("CERTS/server.key", boost::asio::ssl::context::pem);
    context_.use_tmp_dh_file("CERTS/dh512.pem");

When I now conntect to my server with openssl s_client -connect localhost:8000 -tls1 the handshake fails on the serverside with the error:

"sslv3 alert handshake failure"

Also, I noticed a strange line on the client side:

"140030998197920:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3329:"

What does this mean? Did I make a mistake when I created the certificate? I did it exactly as described in the answer to this question.

Answer 1

context_.use_tmp_dh_file("CERTS/dh512.pem");
... dh key too small:s3_clnt.c:3329:"

You are using a DH key of only 512 bit. Such keys are considered too weak and the handshake will fail with newer versions of TLS libraries. You should better use a 2048 bit DH key instead or even better use ciphers with ECDHE.

For more details on the problem see Logjam Attack.