The cause lies in lines 713+ in moduli.c /* * guess unknown generator */ if (generator_known == 0) { if (BN_mod_word(p, 24) == 11) generator_known = 2; else if (BN_mod_word(p, 12) == 5) generator_known = 3; else { u_int32_t r = BN_mod_word(p, 10); if (r == 3 || r == 7) generator_known = 5; } } As p is Sophie-Germain prime: p=2q+1, where q is a prime as well. p = 5 (mod 12) 2q+1= 5 (mod 12) 2q = 4 (mod 12) q = 2 (mod 12) so q would be divisible by 2, but as q is a prime, this is impossible. RFC 4419 only mentions generators of 2 or 5. 6.1. Choice of Generator One useful technique is to select the generator, and then limit the modulus selection sieve to primes with that generator: 2 when p (mod 24) = 11. 5 when p (mod 10) = 3 or 7. Proposed fixed: /* * guess unknown generator */ if (generator_known == 0) { if (BN_mod_word(p, 24) == 11) generator_known = 2; else { u_int32_t r = BN_mod_word(p, 10); if (r == 3 || r == 7) generator_known = 5; } }
This has been applied and will be in the 8.0 release. Thanks.
closing resolved bugs as of 8.6p1 release