[Help-gnutls] How to correctly set Diffie Hellman prime bits?

Lennart Koopmann lennart at scopeport.org
Wed Jul 9 14:15:36 CEST 2008

Hello again list,

i am continuing experimenting with GNUTLS. I have written a client and a
server that perform anonymous (ANON-DH) TLS negotiation.

I successfully connected to a gnutls-serv --http --priority "NORMAL:
+ANON-DH" instance.

When i tried to connect to my own server (which is mostly an example
from the documentation) i got the following error:

> GNUTLS ERROR: The Diffie Hellman prime sent by the server is not
> acceptable (not long enough).

So i manually set the Diffie Hellman prime bits in the server to 1024
and in the client to 1023 (gnutls_dh_set_prime_bits (session, DH_BITS))
- With no effect. Still the same error. I also tried to set the DH prime
bits in the server to 2048. The server needed longer to start up after
this change so i guess that took effect.

I then set the DH prime bits in the client to 0 and in the server to
1024. Now i can connect:

Output of server:
> [lennart at sundaysister Debug]$ ./GNUTLSTest-Server 
> Server ready. Listening to port '5556'.
> - Anonymous DH using prime of -50 bits
> - connection from, port 50879
> - Handshake was completed
> - Peer has closed the GNUTLS connection

Output of client:

> [lennart at sundaysister Debug]$ ./GNUTLSTest 
> - Anonymous DH using prime of 8 bits
> - Handshake was completed
> - Received 22 bytes: hello, this is a test!

Notice the "Anonymous DH using prime of -50 bits". This is the output
of gnutls_dh_get_prime_bits(session)). No change whereever i place the
output in the source code or what i set DH_BITS to.

I guess a DH prime of 8 bits will not provide strong encryption,
right? ;)

Could you please help me with that?

So long

More information about the Gnutls-help mailing list