Mercurial > hg > release > icedtea7-forest-2.5 > jdk
changeset 8152:45680a70921d
PR2250: JSSE server is still limited to 768-bit DHE
Summary: Alter 6956398 so that legacy mode is default and 1024-bit keys come with "jdk8" mode.
author | andrew |
---|---|
date | Fri, 03 Apr 2015 17:19:21 +0100 |
parents | e2cd616bdbcc |
children | 73a846f502ad |
files | src/share/classes/sun/security/ssl/ServerHandshaker.java |
diffstat | 1 files changed, 9 insertions(+), 10 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java Fri Apr 03 18:26:32 2015 +0100 +++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java Fri Apr 03 17:19:21 2015 +0100 @@ -111,15 +111,15 @@ String property = AccessController.doPrivileged( new GetPropertyAction("jdk.tls.ephemeralDHKeySize")); if (property == null || property.length() == 0) { - useLegacyEphemeralDHKeys = false; + useLegacyEphemeralDHKeys = true; useSmartEphemeralDHKeys = false; customizedDHKeySize = -1; } else if ("matched".equals(property)) { useLegacyEphemeralDHKeys = false; useSmartEphemeralDHKeys = true; customizedDHKeySize = -1; - } else if ("legacy".equals(property)) { - useLegacyEphemeralDHKeys = true; + } else if ("jdk8".equals(property)) { + useLegacyEphemeralDHKeys = false; useSmartEphemeralDHKeys = false; customizedDHKeySize = -1; } else { @@ -1230,14 +1230,13 @@ * 768 bits ephemeral DH private keys were used to be used in * ServerKeyExchange except that exportable ciphers max out at 512 * bits modulus values. We still adhere to this behavior in legacy - * mode (system property "jdk.tls.ephemeralDHKeySize" is defined - * as "legacy"). + * mode (system property "jdk.tls.ephemeralDHKeySize" + * is not defined). * - * Old JDK (JDK 7 and previous) releases don't support DH keys bigger - * than 1024 bits. We have to consider the compatibility requirement. - * 1024 bits DH key is always used for non-exportable cipher suites - * in default mode (system property "jdk.tls.ephemeralDHKeySize" - * is not defined). + * New JDK (JDK 8 and later) releases use a 1024 bit DH key for + * non-exportable cipher suites in default mode and this can + * be enabled when the system property "jdk.tls.ephemeralDHKeySize" + * is defined as "jdk8". * * However, if applications want more stronger strength, setting * system property "jdk.tls.ephemeralDHKeySize" to "matched"