Since OpenSSL 1.0.2f, I'm getting SSL error:14082174

When I updated the software to the latest version, I wasn't able to connect to one of my FTP. I was getting

Code:

[14:17:31] [L] Connected to *****
[14:17:31] [L] 220 Apache
[14:17:31] [L] AUTH TLS
[14:17:31] [L] 234 AUTH TLS successful
[14:17:32] [L] SSL error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small
[14:17:32] [L] Failed TLSv1 negotiation, disconnected
[14:17:32] [L] Connection failed (Connection closed by client)

The certificate on the server didn't change and I'm able to connect with 5.2 3910. Since you change the version in 5.2 3912. The server certificate is using the encryption DHE-RSA-AES128-SHA (128bits).

I find my workaround (downgrade) but I cannot upgrade until this is fixed.

Thanks

This error/warning was introduced by the OpenSSL 1.0.2f update to prevent the Logjam vulnerability (CVE-2015-4000)

Taken from https://www.openssl.org/news/secadv/20160128.txt

Quote:

An update on DHE man-in-the-middle protection (Logjam)
================================================== ==================

A previously published vulnerability in the TLS protocol allows a
man-in-the-middle attacker to downgrade vulnerable TLS connections
using ephemeral Diffie-Hellman key exchange to 512-bit export-grade
cryptography. This vulnerability is known as Logjam
(CVE-2015-4000). OpenSSL added Logjam mitigation for TLS clients by
rejecting handshakes with DH parameters shorter than 768 bits in
releases 1.0.2b and 1.0.1n.

This limit has been increased to 1024 bits in this release, to offer
stronger cryptographic assurance for all TLS connections using
ephemeral Diffie-Hellman key exchange.

OpenSSL 1.0.2 users should upgrade to 1.0.2f
OpenSSL 1.0.1 users should upgrade to 1.0.1r

Basically the DH key on the remote server is too weak and the server needs to be re-configured to use a larger/stronger DH key.