OL, OVM: Connection Fails; "openssl: SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small"

(Doc ID 2277028.1)

Last updated on JUNE 21, 2017

Applies to:

Linux OS - Version Oracle Linux 6.0 and later
Linux x86-64
Linux x86

Symptoms

Examining The Certificate Offered By A Web Site

The key size used by a web site can be seen like this:

$ openssl s_client -connect "example.com:443" </dev/null 2>/dev/null | openssl x509 -text -noout
...
Public-Key: (256 bit)
...

This shows a key length indicating a certificate needing to be recreated with a longer key.

Examining A Local Certificate File

If the <certificate>.pem file is accessible, the certificate can be examined liek this:

$ openssl dhparam -inform PEM -in my-cert=dhparam.pem -check -text | fgrep 'DH Parameters'

Encountering A Run-time Error

After upgraded openssl to version openssl-1.0.1e-57.el6.x86_64, a client application reports the error:

SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3345:

 

Changes

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms