Yes, you have to set the security level to 0 to be able to use 1024 bit
RSA and DH keys. You can use SSL_CTX_set_security_level() function to
do this.
Of course you should do it only for legacy purposes as such short keys
do not provide sufficient security protections.
Tomas Mraz, OpenSSL
On Fri, 2024-12-20 at 19:39 +0530, 'Samiya Khanum' via openssl-users
wrote:
> Hi all,
> With openssl 3.4.0 code we are able to generate certificates with key
> size 1024 and DH param size 1024. Getting the below error when trying
> to use these certificates for launching a secure http server.
>
> SSL connect err code:[167772559](error:0A00018F:SSL routines::ee key
> too small)
> Error is ee key too small
>
> We would like to know is openSSL 3.4.0 supports certificate key size
> 1024.
> Same api(SSL_CTX_use_certificate) is working fine in 3.1.6.
>
> Is any configuration required to support key size 1024 for legacy
> applications interaction
>
> /// Code snippet
> int err = 0;
> SSL_CTX *ctx = NULLPTR;
> EVP_PKEY *pkey = NULLPTR;
> X509 *cert = NULLPTR;
> SSL_load_error_strings();
> ERR_load_crypto_strings();
>
> ctx = SSL_CTX_new(SSLv23_method());
> if (ctx == NULL){
> printf("ssl ctx create error");
> return -1
> }
> fp = opensslFileOpen("mycert.pem");
> if (fp == NULL) {
> printf("file open error");
> return -1
> }
> cert = PEM_read_X509(fp, NULL, NULL, NULL);
> if (cert == NULL) {
> printf("file open error");
> return -1
> }
> if (!SSL_CTX_use_certificate(ctx, cert)) {
> int err = 0;
> if((err = ERR_get_error())) {
> printf("SSL connect err code:[%d](%s)\n", err,
> ERR_error_string(err, NULL));
> printf("Error is %s \n",ERR_reason_error_string(err));
> return -1;
> }
> }
>
>
> Thanks & Regards,
> Samiya khanum
>
> This electronic communication and the information and any files
> transmitted with it, or attached to it, are confidential and are
> intended solely for the use of the individual or entity to whom it is
> addressed and may contain information that is confidential, legally
> privileged, protected by privacy laws, or otherwise restricted from
> disclosure to anyone else. If you are not the intended recipient or
> the person responsible for delivering the e-mail to the intended
> recipient, you are hereby notified that any use, copying,
> distributing, dissemination, forwarding, printing, or copying of this
> e-mail is strictly prohibited. If you received this e-mail in error,
> please return the e-mail to the sender, delete it from your computer,
> and destroy any printed copy of it.
> --
> You received this message because you are subscribed to the Google
> Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
> To view this discussion visit
> https://groups.google.com/a/openssl.org/d/msgid/openssl-users/CADmX34qez3Cjs-bzx5QVtUOuqkuo728ZqumQN%3DHeEx-c29%2BW0w%40mail.gmail.com
> .
--
Tomáš Mráz, OpenSSL
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/1560d7c89e2f3f8591ef261cbe09c1521b6c3e8e.camel%40openssl.org.
