3

In our Application, we use OpenSSL for secure connections and we use DH for key exchange. With the recent OpenSSL versions, minimum key length that can be used is 768 and 1024 is recommended. Our application is peer-peer application and to comply with this requirement, all our application instances need to be updated to start using 1024 DH keys. As on today, our application uses 512 key by default. They can be configured via configuration file to specify 102/2048/4096 lengths but this requires manual change on all systems.

To my understanding, server side will decides DH key length always. So, we will not be able to update the OpenSSL version on client side without updating server side.

Is there any way to enforce the minimum DH key length from client side so that server will generate DH key with minimum length specified by client?

Shiva
  • 114
  • 3
  • 12
  • Also see [How to reject weak DH parameters in an OpenSSL client?](https://stackoverflow.com/q/32947040/608639), [OpenSSL DH Key Too Small Error](https://stackoverflow.com/q/36417224/608639); and [How to enforce DH field size in the client?](http://openssl.6102.n7.nabble.com/How-to-enforce-DH-field-size-in-the-client-td60442.html) on the OpenSSL mailing list. – jww Oct 09 '17 at 14:54
  • I referred to the above links. Most of them ended up as questions only. – Shiva Oct 11 '17 at 10:36

0 Answers0