OpenSSL 3.4.0 - Key too small error with key size 1024

[Samiya Khanum]

Hi all,

With openssl 3.4.0 code we are able to generate certificates with key size 1024 and DH param size 1024. Getting the below error when trying to use  these certificates for launching a secure http server. 

SSL connect err code:[167772559](error:0A00018F:SSL routines::ee key too small)
Error is ee key too small 

We would like to know is  openSSL 3.4.0 supports certificate key size 1024.

Same api(SSL_CTX_use_certificate) is working fine in 3.1.6.

Is any configuration required to support key size 1024 for legacy applications interaction

/// Code snippet

 int err = 0;
SSL_CTX  *ctx = NULLPTR;
EVP_PKEY *pkey = NULLPTR;
X509     *cert = NULLPTR;

SSL_load_error_strings();
 ERR_load_crypto_strings();

 ctx = SSL_CTX_new(SSLv23_method());
 if (ctx == NULL){
      printf("ssl ctx create error");
      return -1
  }
  fp = opensslFileOpen("mycert.pem");
  if (fp == NULL) {
      printf("file open error");
      return -1
  }
  cert = PEM_read_X509(fp, NULL, NULL, NULL);
  if (cert == NULL) {
      printf("file open error");
     return -1
  }
  if (!SSL_CTX_use_certificate(ctx, cert)) {
      int err = 0;
      if((err = ERR_get_error())) {
         printf("SSL connect err code:[%d](%s)\n", err, ERR_error_string(err, NULL));
         printf("Error is %s \n",ERR_reason_error_string(err));
         return  -1;
    }

}
 

Thanks & Regards,

Samiya khanum

This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.

[Tomas Mraz]

Yes, you have to set the security level to 0 to be able to use 1024 bit
RSA and DH keys. You can use SSL_CTX_set_security_level() function to
do this.

Of course you should do it only for legacy purposes as such short keys
do not provide sufficient security protections.

Tomas Mraz, OpenSSL

On Fri, 2024-12-20 at 19:39 +0530, 'Samiya Khanum' via openssl-users
wrote:

> --
> You received this message because you are subscribed to the Google
> Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to openssl-user...@openssl.org.
> To view this discussion visit
> https://groups.google.com/a/openssl.org/d/msgid/openssl-users/CADmX34qez3Cjs-bzx5QVtUOuqkuo728ZqumQN%3DHeEx-c29%2BW0w%40mail.gmail.com
> .

--
Tomáš Mráz, OpenSSL

[David von Oheimb]

Looking at the disclaimer near the end of the below email saying

This electronic communication and the information and any files
transmitted with it, or attached to it, are confidential [...]

this might be taken as a hint for an alternative workaround:

Simply add that text to all your TLS payload 😇

Maybe this could help (best on April 1st) 😛

    David

[Samiya Khanum]

Hi Tomas,

Thank you for your response. 

After setting the security level to '0', 1024 is working fine.

Could you please let us know the security implications for setting security level to 0. 

Thanks & Regards,

Samiya khanum

[Keo Somony]

/// សម្រង់កូដ

int err = 0;
SSL_CTX *ctx = NULLPTR;
EVP_PKEY *pkey = NULLPTR;
X509 *cert = NULLPTR;

SSL_load_error_strings();
ERR_load_crypto_strings();

 Don’t use this code for check my documents 

On my phone.

To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/CADmX34q%3DCt8y_E2DE3f3DZQOo5%3DhvETaHyn-afKjgN_6it-AJQ%40mail.gmail.com.

[Keo Somony]

The above query will match the file docs/http-push.txt, even if it doesn't contain the term http-push. It will also match a file called example.txt if it contains the term http-push.

You can enter multiple terms separated by whitespace to search for documents that satisfy both terms.

For example, the following query: if still not available please 

On my phone.