Thank you very much for your suggestion. Is there a mean of changing that in Jetty without modifying the JRE?
When I run your commandline, it prints nothing on my server. The connection is refused. I'll try to adapt it to make it work, I should probably use another port. This is the script I use to configure my server from scratch: https://sourceforge.net/p/red-feed-aggregator/code/ci/master/tree/minimal_self_hosting_setup.sh > Message du 08/01/22 16:14 > De : "Travis Spencer" > A : goues...@orange.fr, "JETTY user mailing list" > Copie à : > Objet : Re: [jetty-users] How to use a stronger Diffie Hellman group in Jetty? > > See https://java.com/en/configure_crypto.html#DHAKeySize > IINM, you can update $JAVA_HOME/conf/security/java.security (on Java 9+) or $JAVA_HOME/lib/security/java.security (on Java < 9) to have > > DH keySize < 2048 > in the jdk.tls.disabledAlgorithms security property. > > If I read that weakdh.org web page and the java.com one correctly, I think that should disable weak DH params. To test, I did like this: > $ openssl s_client -connect localhost:443 -showcerts -cipher "EDH" < /dev/null 2>&1 | grep "Server Temp Key" > Server Temp Key: DH, 2048 bits > Against my server, even without disabling DH keys < 2048, I still got the above value which IINM means the weakness spoken about on weakdh.org is not an issue. > HTH! > > On Fri, Jan 7, 2022 at 10:52 PM wrote: > > Hello > > I would like to avoid using common Diffie Hellman primes in order to improve > the security during key exchange, I tried to follow these steps: > https://weakdh.org/sysadmin.html > > I know how to exclude some cipher suites: > https://www.eclipse.org/jetty/javadoc/jetty-11/org/eclipse/jetty/util/ssl/SslContextFactory.html#addExcludeCipherSuites(java.lang.String...) > > However, I haven't found a way of telling Jetty to use new DH parameters > generated with "openssl dhparam -out dhparams.pem 2048". Where can I cleanly > override that? > > Best regards. _______________________________________________ > jetty-users mailing list > jetty-users@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
