RFR: 8373426: Remove ffdhe6144 and ffdhe8192 from default list of TLS named groups

[Xue-Lei Andrew Fan]

On Thu, 5 Feb 2026 18:28:52 GMT, Sean Mullan <mullan at openjdk.org> wrote:

> I have found no evidence of them being used anywhere - do you have any references?

No, I don't.  There are lot of project are internal and private.  It is hardly to know every deployment in practice.  If you are confident that no one actually use it in practice, it is surely safe to remove and no compatibility issues.  So if you are confident, please go ahead.  Otherwise, I did not see bad impact to keep them at this moment.

> in some particularly security-sensitive case users can still enable these via property or API calls

It is not easy to update source code in practice, especially for third party's dependencies.  For property, service may fail firstly, and then know to set the property.  No one really know every line of code of a product or service.  I did not see the reason to get the trouble yet.

> DHE groups and cipher suites are becoming legacy

That's a good reason to deprecate DHE groups and cipher suites, but not for removing current groups like that.

Anyway, I did not see the benefit to remove them, and would not like to take risks that I don't understand.  But I don't mind if you are confident.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/29577#issuecomment-3855880748