On 22-04-15 20:11, jack seth wrote: > Ok I have been doing some experiments and I can connect using 10000 bit DH > parameters. Any bigger than that up to at least 13824 I get the following > 'modulus too large' error on the client log: > > TLS_ERROR: BIO read tls_read_plaintext error: error:05066067:Diffie-Hellman > routines:COMPUTE_KEY:modulus too large: error:14098005:SSL > routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:DH lib > Wed Apr 22 07:08:58 2015 TLS Error: TLS object -> incoming plaintext read > error > Wed Apr 22 07:08:58 2015 TLS Error: TLS handshake failed > > Something interesting/weird also happened. I tried to test 10001, 10002, and > 10004 bit DH to find the exact place I would get the 'modulus too large' > error. But the server log reported the DH parameters being 10008 instead. I > did a test at 15104 that gave the same error but then I tried two more times > and the client just sat at the 'initial packet point' like it does with the > 16384 bit parameters. So somewhere between 13824 and 16384 it switches > between the error above and just sitting there 'frozen'. > > Questions: 1. Can the modulus error be cured? 2. Do you think the same > modulus error is going on when the client appears to freeze with parameters > larger than 13824 or is something else going (i.e. why does it freeze instead > of giving the 'modulus error')? 3. Why does the server log report 10001, > 10002, 10004 bit DH as 10008?
All OpenVPN does here is pass along the DH parameters to OpenSSL. What you're seeing here are OpenSSL errors and OpenSSL behaviour. You can verify the behaviour wrt DH parameter handling using the openssl command line tools s_server and s_client: $ openssl s_server -cert server.crt -key server.key -dhparam dh2048.pem $ openssl s_client Assuming that using the openssl command line tools renders the same results: unless anyone on this list has fiddled around with this in the same way, you will probably get better answers when asking your questions on the openssl list. -Steffan ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
