Mercurial > hg > release > icedtea7-forest-2.5 > jdk

changeset 8198:7b2018284119

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
PR2487: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize Summary: Backout 45680a70921daf8a5929b890de22c2fa5d117d82
author andrew
date Mon, 20 Jul 2015 00:11:26 +0100
parents 5ae5406c6f79
children 5aec959c9177
files src/share/classes/sun/security/ssl/ServerHandshaker.java
diffstat 1 files changed, 10 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java	Sat Jul 18 00:45:28 2015 +0100
+++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java	Mon Jul 20 00:11:26 2015 +0100
@@ -111,15 +111,15 @@
         String property = AccessController.doPrivileged(
                     new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
         if (property == null || property.length() == 0) {
-            useLegacyEphemeralDHKeys = true;
+            useLegacyEphemeralDHKeys = false;
             useSmartEphemeralDHKeys = false;
             customizedDHKeySize = -1;
         } else if ("matched".equals(property)) {
             useLegacyEphemeralDHKeys = false;
             useSmartEphemeralDHKeys = true;
             customizedDHKeySize = -1;
-        } else if ("jdk8".equals(property)) {
-            useLegacyEphemeralDHKeys = false;
+        } else if ("legacy".equals(property)) {
+            useLegacyEphemeralDHKeys = true;
             useSmartEphemeralDHKeys = false;
             customizedDHKeySize = -1;
         } else {
@@ -1230,13 +1230,14 @@
          * 768 bits ephemeral DH private keys were used to be used in
          * ServerKeyExchange except that exportable ciphers max out at 512
          * bits modulus values. We still adhere to this behavior in legacy
-         * mode (system property "jdk.tls.ephemeralDHKeySize"
-         * is not defined).
+         * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
+         * as "legacy").
          *
-         * New JDK (JDK 8 and later) releases use a 1024 bit DH key for
-         * non-exportable cipher suites in default mode and this can
-         * be enabled when the system property "jdk.tls.ephemeralDHKeySize"
-         * is defined as "jdk8".
+         * Older versions of OpenJDK don't support DH keys bigger
+         * than 1024 bits. We have to consider the compatibility requirement.
+         * 1024 bits DH key is always used for non-exportable cipher suites
+         * in default mode (system property "jdk.tls.ephemeralDHKeySize"
+         * is not defined).
          *
          * However, if applications want more stronger strength, setting
          * system property "jdk.tls.ephemeralDHKeySize" to "matched"