Mercurial > hg > release > icedtea7-forest-2.5 > jdk
changeset 8198:7b2018284119
PR2487: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize
Summary: Backout 45680a70921daf8a5929b890de22c2fa5d117d82
author | andrew |
---|---|
date | Mon, 20 Jul 2015 00:11:26 +0100 |
parents | 5ae5406c6f79 |
children | 5aec959c9177 |
files | src/share/classes/sun/security/ssl/ServerHandshaker.java |
diffstat | 1 files changed, 10 insertions(+), 9 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java Sat Jul 18 00:45:28 2015 +0100 +++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java Mon Jul 20 00:11:26 2015 +0100 @@ -111,15 +111,15 @@ String property = AccessController.doPrivileged( new GetPropertyAction("jdk.tls.ephemeralDHKeySize")); if (property == null || property.length() == 0) { - useLegacyEphemeralDHKeys = true; + useLegacyEphemeralDHKeys = false; useSmartEphemeralDHKeys = false; customizedDHKeySize = -1; } else if ("matched".equals(property)) { useLegacyEphemeralDHKeys = false; useSmartEphemeralDHKeys = true; customizedDHKeySize = -1; - } else if ("jdk8".equals(property)) { - useLegacyEphemeralDHKeys = false; + } else if ("legacy".equals(property)) { + useLegacyEphemeralDHKeys = true; useSmartEphemeralDHKeys = false; customizedDHKeySize = -1; } else { @@ -1230,13 +1230,14 @@ * 768 bits ephemeral DH private keys were used to be used in * ServerKeyExchange except that exportable ciphers max out at 512 * bits modulus values. We still adhere to this behavior in legacy - * mode (system property "jdk.tls.ephemeralDHKeySize" - * is not defined). + * mode (system property "jdk.tls.ephemeralDHKeySize" is defined + * as "legacy"). * - * New JDK (JDK 8 and later) releases use a 1024 bit DH key for - * non-exportable cipher suites in default mode and this can - * be enabled when the system property "jdk.tls.ephemeralDHKeySize" - * is defined as "jdk8". + * Older versions of OpenJDK don't support DH keys bigger + * than 1024 bits. We have to consider the compatibility requirement. + * 1024 bits DH key is always used for non-exportable cipher suites + * in default mode (system property "jdk.tls.ephemeralDHKeySize" + * is not defined). * * However, if applications want more stronger strength, setting * system property "jdk.tls.ephemeralDHKeySize" to "matched"