DH parameters generated by OpenSSL rejected by load_pem_parameters in cryptography 49.x

[garbusbeach]

Summary

serialization.load_pem_parameters() rejects an OpenSSL-generated DH file with ValueError: Invalid DH parameters on cryptography==49.x, while the same file loads successfully on cryptography==48.x.

The same file is also accepted by the OpenSSL CLI:

openssl dhparam -in dhparam.pem -check -noout
# DH parameters appear to be ok.

Reproduction

openssl dhparam -out dhparam.pem -outform PEM 2048
openssl dhparam -in dhparam.pem -check -noout

output: DH parameters appear to be ok.

Then in python

from pathlib import Path
from cryptography.hazmat.primitives import serialization

dh_file = Path("dhparam.pem")

dh_params = serialization.load_pem_parameters(dh_file.read_bytes())  # ValueError: Invalid DH parameters

This raises in cryptography==49.x, but not in 48 (i've tracked it down to the #15016 - @sjudson).

I know it's rather a rust-openssl responsibility, but it'd be nice to know at least the return code (or translation to str msg) of the openssl/dh.c DH_check method - https://linux.die.net/man/3/dh_check

Do you have any suggestions how this could be fixed on my side, other than downgrading the lib? I'd love to stick to the most recent version :). I belive the check is too strict and requires additional values other than p and g, which are not required by the standard of DH.

Example failing file:

-----BEGIN DH PARAMETERS-----
MIIBDAKCAQEAlIp1fYr3ZNIqhxf5Ekoxi3eeGHtmXjuOXQ6F8cUjnqOCDeel6igI
r00KTHnv3zTiRAdfK8+doLuBmUwHuE4ahtNi/FIbAbThaR6y2xYTGboTqLO8Jj6Z
cnFyGRx4qMyhuYW98GDkbRt3MWDTCbKNtPT+W2UrVQhkDQpq+O5qZ5SOnxzlI9b6
dyesAsWbeCV8aoMS9hxStBujSp1UD7Vbej1frZw1RwWuFY+6EsLXXeWFfZ4AaSJk
h0TzTXeeUj5sl6xrctWK3noYypRzgidt2D3OxobO3Vh8PvbbXz5Qi/h8dqexZnRE
Qf3k+DYfQsp5Mcx4ENuppHZoZXIh9+qZDwIBAgICAOE=
-----END DH PARAMETERS-----

p bits: 2048
g: 2

Env

python --version
# Python 3.12.13
python -c "import cryptography; print(cryptography.__version__)" 
# 49.0.0
python -c "from cryptography.hazmat.backends.openssl.backend import backend; print(backend.openssl_version_text())"
# OpenSSL 4.0.1 9 Jun 2026
openssl version -a
# OpenSSL 3.6.3 9 Jun 2026 (Library: OpenSSL 3.6.3 9 Jun 2026)
# built on: Wed Jun 10 05:27:07 2026 UTC
# platform: darwin64-arm64-cc
# ...

[alex]

It looks like we always considered these params invalid, but now we just started checking that invalidity in more places. So the question is: is our check wrong? Or was it a bug that we ever accepted these?

[alex]

@sjudson are you able to help take a look here?

[garbusbeach]

maybe I'm missing something :) From what i know generator=2, key_size=2048 is quite standard (also shown in your docs as example), but seems like bare openssl cli not good enough.

[alex]

Ok, I think I've found it -- this is a different bug that being more strict merely uncovered.

The issue is DH can come in a couple of formats, and we were treating the 3rd field in teh ASN1 structure here as q, but really it's a privateValueLength (from PKCS#3). I'm working on a fix.