[Bug 2250] JSSE server is still limited to 768-bit DHE
bugzilla-daemon at icedtea.classpath.org
bugzilla-daemon at icedtea.classpath.org
Mon Mar 2 16:08:56 UTC 2015
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2250
--- Comment #4 from Andrew John Hughes <gnu.andrew at redhat.com> ---
I know, that's why I said we wouldn't use the default settings in this patch.
If we instead set useLegacyEphemeralDHKeys to true by default (the patch sets
it to false), we would get the same key size as at present i.e.
dh = new DHCrypt((export ? 512 : 768), sslContext.getSecureRandom());
becomes
int keySize = export ? 512 : 1024; // default mode
if (!export) {
if (useLegacyEphemeralDHKeys) { // legacy mode
keySize = 768;
} else ...
} else ...
}
}
dh = new DHCrypt(keySize, sslContext.getSecureRandom());
If export is true in either case, the result is a key size of 512. If export is
false in either case, the key size is 768 as we have useLegacyEphemeralDHKeys
set to true by default.
Different behaviour would only occur if the user expicitly set
jdk.tls.ephemeralDHKeySize.
No-one is suggesting this would be an IcedTea-only change. We can propose it
for OpenJDK 7, along with the backlog of other patches, once it's open for
business again.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20150302/fe3ca5f7/attachment.html>
More information about the distro-pkg-dev
mailing list