On Tue, Feb 17, 2026 at 3:39 PM Benny Prange <[email protected]> wrote: > > Am Di., 17. Feb. 2026 um 15:14 Uhr schrieb Rémy Maucherat <[email protected]>: > > > On Tue, Feb 17, 2026 at 2:38 PM Benny Prange > > <[email protected]> wrote: > > > > > > Hi there, > > > > > > It seems that with the introduction of > > > https://bz.apache.org/bugzilla/show_bug.cgi?id=69800, some Java JSSE > > > Properties are ignored if passed as a Java Property. > > > In detail, I could verify that the properties > > "jdk.tls.ephemeralDHKeySize" > > > and "jdk.tls.namedGroups" are ignored, when the used Java version is 21 > > or > > > 25. The properties are however used with Java 17. I tested this with > > Tomcat > > > 11.0.18. > > > Additionally, I tested Java 25 with Tomcat 11.0.11. This is the release > > > before the aforementioned bug, and in that version the properties are > > still > > > used. > > > > > > I guess that this is a bug, because in default catalina.sh file, > > > "-Djdk.tls.ephemeralDHKeySize=2048" is still set as a Java option, but > > this > > > has no effect starting with Tomcat 11.0.12 and Java 21 or newer. In this > > > scenario, Tomcat offers ffdhe2024 through ffdhe8192, whereas with 11.0.11 > > > only ffdhe2024 is offered (as expected). > > > > > > It would be highly appreciated if my assumption is correct, that this is > > > indeed a bug, and if I should create a bug report for that. > > > For jdk.tls.namedGroups you should be using the new configuration. For > > jdk.tls.ephemeralDHKeySize I'm not sure, I don't think this is so > > useful anymore. > > > I forgot to mention this in my first post, but I'm actually using the > embedded tomcat in a spring boot application. I only tested it with a plain > tomcat to eliminate possible side effects from the spring boot > bootstrapping. As far as I can tell, I would have to create the connector > manually to set the namedGroups in the SSLHostConfig, because spring boot > does not provide a way to pass such a property by itself. > Also, the tomcat documentation or changelog does not mention that with the > 10.0.12 release it is no longer possible to use the JSSE properties. > > To me, this still seems like a bug that I would like to see resolved, so > that it is possible again to use the JSSE properties to configure the JSSE > provider.
Ok, some of the other fields are defaulting to the relevant system property, so why not. Rémy > > > > Rémy > > > > > Thanks and best regards, > > > Benny > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
