<div dir="ltr"><div>Hi all,</div><div><br></div><div>I'm writing an HTTPS client for Play, and I would like to give some recommendations in the documentation for the current recommended key sizes in the server handshake and in the X.509 certificate.</div>
<div><br></div><div>I'm using the key lengths as defined in <a href="http://www.keylength.com">http://www.keylength.com</a>, but I am concerned that I may have confused the algorithm names and key sizes, as Diffie Hellman in particular seems to have a number of different relevant key sizes floating around for p and q.</div>
<div><br></div><div>The current text of the document is as follows:</div><div>-----------</div><div><div><br></div><div>The `jdk.tls.disabledAlgorithms` can be used to prevent weak ciphers, and can also be used to prevent small key sizes from being used in a handshake. This is a [useful feature](<a href="http://sim.ivi.co/2013/11/harness-ssl-and-jsse-key-size-control.html">http://sim.ivi.co/2013/11/harness-ssl-and-jsse-key-size-control.html</a>) that is only available in JDK 1.7 and later.</div>
<div><br></div><div>The official documentation for disabled algorithms is [here](<a href="http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms">http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms</a>).</div>
<div><br></div><div>The parameter names to use for the disabled algorithms are not obvious, but are listed in the [Providers documentation](<a href="http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html">http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html</a>).</div>
<div><br></div><div>For X.509 certificates, the public key algorithms used in signatures can be RSA, DSA or EC (listed as "ECDSA"):</div><div><br></div><div>```</div><div>jdk.certpath.disabledAlgorithms="RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224"</div>
<div>```</div><div><br></div><div>The digest algorithms used in signatures can be "NONE, MD2, MD4, MD5, SHA1, SHA256, SHA512, SHA384":</div><div><br></div><div>```</div><div>jdk.certpath.disabledAlgorithms="MD2, MD4, MD5"</div>
<div>```</div><div><br></div><div>For TLS handshakes, the code will match the first part of the cipher suite after the protocol, i.e. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 has ECDHE as the relevant cipher, giving "DHE, ECDH, ECDHE, RSA":</div>
<div><br></div><div>```</div><div>jdk.tls.disabledAlgorithms="DHE keySize < 2048, ECDH keySize < 2048, ECDHE keySize < 2048, RSA keySize < 2048"</div><div>```</div><div><br></div><div>Note that if you set `DHE keySize < 2048`, you will also want to set `jdk.tls.ephemeralDHKeySize=2048` (and be running JDK 1.8).</div>
</div><div><br></div><div><div><br class="">JDK 1.7 has a [bug](<a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8014618" target="_blank" style="color:rgb(102,17,204);font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;text-decoration:none;font-family:Arial,Helvetica,sans-serif">http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8014618</a>) that may cause Diffie Hellman algorithms to fail 0.05% of the time, so you may want to disable it or upgrade to JDK 1.8.</div>
</div><div><br></div></div>