Re: [jetty-users] How to use a stronger Diffie Hellman group in Jetty?

Sun, 09 Jan 2022 04:05:09 -0800 

I get that:

root@lime2:~# openssl s_client -connect localhost:8443 -showcerts -cipher "EDH" 
< /dev/null 2>&1 | grep "Server Temp Key" 
Server Temp Key: X25519, 253 bits


 

 

 

> Message du 08/01/22 16:14
> De : "Travis Spencer" 
> A : goues...@orange.fr, "JETTY user mailing list" 
> Copie à : 
> Objet : Re: [jetty-users] How to use a stronger Diffie Hellman group in Jetty?
> 
>

See https://java.com/en/configure_crypto.html#DHAKeySize

>
IINM, you can update $JAVA_HOME/conf/security/java.security (on Java 9+) or 
$JAVA_HOME/lib/security/java.security (on Java < 9) to have 
>

>
DH keySize < 2048

>
in the jdk.tls.disabledAlgorithms security property.
>

>
If I read that weakdh.org web page and the java.com one correctly, I think that 
should disable weak DH params. To test, I did like this:

>
$ openssl s_client -connect localhost:443 -showcerts -cipher "EDH" < /dev/null 
2>&1 | grep "Server Temp Key"
> Server Temp Key: DH, 2048 bits

>
Against my server, even without disabling DH keys < 2048, I still got the above 
value which IINM means the weakness spoken about on weakdh.org is not an issue.

>
HTH!
>


>

On Fri, Jan 7, 2022 at 10:52 PM  wrote:
>

> Hello
> 
> I would like to avoid using common Diffie Hellman primes in order to improve 
> the security during key exchange, I tried to follow these steps:
> https://weakdh.org/sysadmin.html
> 
> I know how to exclude some cipher suites:
> https://www.eclipse.org/jetty/javadoc/jetty-11/org/eclipse/jetty/util/ssl/SslContextFactory.html#addExcludeCipherSuites(java.lang.String...)
> 
> However, I haven't found a way of telling Jetty to use new DH parameters 
> generated with "openssl dhparam -out dhparams.pem 2048". Where can I cleanly 
> override that?
> 
> Best regards.

_______________________________________________
> jetty-users mailing list
> jetty-users@eclipse.org
> To unsubscribe from this list, visit 
> https://www.eclipse.org/mailman/listinfo/jetty-users
>


_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users

Reply via email to