[Bug 2250] JSSE server is still limited to 768-bit DHE
bugzilla-daemon at icedtea.classpath.org
bugzilla-daemon at icedtea.classpath.org
Mon Mar 2 16:33:53 UTC 2015
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2250
--- Comment #6 from Andrew John Hughes <gnu.andrew at redhat.com> ---
(In reply to Andrew Haley from comment #5)
> (In reply to Andrew John Hughes from comment #4)
> > I know, that's why I said we wouldn't use the default settings in this
> > patch. If we instead set useLegacyEphemeralDHKeys to true by default (the
> > patch sets it to false), we would get the same key size as at present i.e.
>
> The problem is that it's not possible to get a larger key size without
> changing the default; and doing that can break some other program running
> elsewhere in an app server.
Sure, but at present, it's not possible to get a larger key size *at all*.
Adding this would give those who want larger key sizes the option of having
them by explicitly enabling them and dealing with any problems that result.
> It's the same problem with upgrading to a newer
> JVM, but some compatibility problems might be expected in that case. Not
> for a minor change in a legacy VM.
Not really, because a newer JVM affects everyone. This would only affect those
who explicitly set the property. The majority are likely to be unaware that
support for such a property was even added.
>
> > Different behaviour would only occur if the user expicitly set
> > jdk.tls.ephemeralDHKeySize.
>
> Yes.
>
> > No-one is suggesting this would be an IcedTea-only change.
>
> Good.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20150302/9e9ea03c/attachment.html>
More information about the distro-pkg-dev
mailing list