[gnutls-dev] Diffie Hellman interoperability problem with OpenSSL

Roman Hoog Antink me at rs3.ch
Mon Sep 15 18:12:01 CEST 2003


Hi

When SSL handshaking with a OpenSSL 0.9.6 server using DH key exchange, gnutls 
version 0.9.7 complains "The Diffie Hellman prime sent by the server is not 
acceptable (not long enough)." and aborts.

After removing the corresponding if-block in lib/auth_dh_common.c line 221, 
the handshake is accomplished as expected and the connection works.

Can someone please explain, what bits = _gnutls_dh_get_prime_bits( session); 
in this context means and why this if-block is important?

How do I have to initialize DH params in my application to avoid this problem?

For easier reading the gnutls code I'm talking about:

    bits = _gnutls_dh_get_prime_bits( session);
    if (bits < 0) {
        gnutls_assert();
        return bits;
    }

    if ( _gnutls_mpi_get_nbits( session->key->client_p) < (size_t)bits) {
        /* the prime used by the peer is not acceptable
         */
        gnutls_assert();
        return GNUTLS_E_DH_PRIME_UNACCEPTABLE;
    }


Roman




More information about the Gnutls-devel mailing list