Mercurial > hg > release > icedtea7-forest-2.5 > jdk

changeset 8152:45680a70921d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
PR2250: JSSE server is still limited to 768-bit DHE Summary: Alter 6956398 so that legacy mode is default and 1024-bit keys come with "jdk8" mode.
author andrew
date Fri, 03 Apr 2015 17:19:21 +0100
parents e2cd616bdbcc
children 73a846f502ad
files src/share/classes/sun/security/ssl/ServerHandshaker.java
diffstat 1 files changed, 9 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java	Fri Apr 03 18:26:32 2015 +0100
+++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java	Fri Apr 03 17:19:21 2015 +0100
@@ -111,15 +111,15 @@
         String property = AccessController.doPrivileged(
                     new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
         if (property == null || property.length() == 0) {
-            useLegacyEphemeralDHKeys = false;
+            useLegacyEphemeralDHKeys = true;
             useSmartEphemeralDHKeys = false;
             customizedDHKeySize = -1;
         } else if ("matched".equals(property)) {
             useLegacyEphemeralDHKeys = false;
             useSmartEphemeralDHKeys = true;
             customizedDHKeySize = -1;
-        } else if ("legacy".equals(property)) {
-            useLegacyEphemeralDHKeys = true;
+        } else if ("jdk8".equals(property)) {
+            useLegacyEphemeralDHKeys = false;
             useSmartEphemeralDHKeys = false;
             customizedDHKeySize = -1;
         } else {
@@ -1230,14 +1230,13 @@
          * 768 bits ephemeral DH private keys were used to be used in
          * ServerKeyExchange except that exportable ciphers max out at 512
          * bits modulus values. We still adhere to this behavior in legacy
-         * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
-         * as "legacy").
+         * mode (system property "jdk.tls.ephemeralDHKeySize"
+         * is not defined).
          *
-         * Old JDK (JDK 7 and previous) releases don't support DH keys bigger
-         * than 1024 bits. We have to consider the compatibility requirement.
-         * 1024 bits DH key is always used for non-exportable cipher suites
-         * in default mode (system property "jdk.tls.ephemeralDHKeySize"
-         * is not defined).
+         * New JDK (JDK 8 and later) releases use a 1024 bit DH key for
+         * non-exportable cipher suites in default mode and this can
+         * be enabled when the system property "jdk.tls.ephemeralDHKeySize"
+         * is defined as "jdk8".
          *
          * However, if applications want more stronger strength, setting
          * system property "jdk.tls.ephemeralDHKeySize" to "matched"