When connecting to a TLS1.2 webserver that uses a weak 512 bit DH key, I noticed that browsers select TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (chrome, firefox) and openssl due to the ciphers list selects TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA openssl s_client -connect 112.175.90.160:443 -cipher DEFAULT :!EDH-RSA-DES-CBC3-SHA :!DHE-RSA-AES128-GCM-SHA256 :!DHE-RSA-AES256-GCM-SHA384 :!DHE-RSA-AES128-SHA256 :!DHE-RSA-AES128-SHA :!DHE-RSA-AES256-SHA256 :!DHE-RSA-AES256-SHA :-ECDH :-EXPORT:-DES:-SEED:-RC4:-PSK:-IDEA :ECDHE-RSA-AES128-SHA The error is: dh key too small:.\ssl\s3_clnt.c:3424. >From a client that uses openssl libs, what would the correct workaround be ? Try to figure out that the DH key is too small and retry with the DHE ciphers disabled ? Or reorder the ciphers ? Given that cipher order can lead to failed handshakes, is there a correct order for https clients ?
