book cover

OpenSSL Cookbook  3rd Edition

The definitive guide to using the OpenSSL command line for configuration and testing. Topics covered in this book include key and certificate management, server configuration, a step by step guide to creating a private CA, and testing of online services. Written by Ivan Ristić.

2.18 Determining the Strength of Diffie-Hellman Parameters

Starting from OpenSSL 1.0.2, when you connect to a server, the s_client command prints the strength of the ephemeral Diffie-Hellman key if one is used. Thus, to determine the strength of server’s DH parameters, all you need to do is connect to it while offering only suites that use the DH key exchange. For example:

$ openssl s_client -connect www.feistyduck.com:443 -cipher kEDH
[...]
---No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: DH, 2048 bits
---
[...]

Servers that support export suites might actually offer even weaker DH parameters. To check for that possibility, connect using your old OpenSSL1 while offering only export DHE suites:

$ openssl s_client -connect www.feistyduck.com:443 -cipher kEDH+EXPORT

This command should fail with well-configured servers. Otherwise, you’ll probably see the server offering to negotiate insecure 512-bit DH parameters.

1

Support for EXPORT cipher suites was removed in OpenSSL 1.1.0.

< Prev
^ Table of Contents