Am Di., 17. Feb. 2026 um 15:48 Uhr schrieb Christopher Schultz < [email protected]>:
> Benny, > > On 2/17/26 9:38 AM, Benny Prange wrote: > > Am Di., 17. Feb. 2026 um 15:14 Uhr schrieb Rémy Maucherat < > [email protected]>: > > > >> On Tue, Feb 17, 2026 at 2:38 PM Benny Prange > >> <[email protected]> wrote: > >>> > >>> Hi there, > >>> > >>> It seems that with the introduction of > >>> https://bz.apache.org/bugzilla/show_bug.cgi?id=69800, some Java JSSE > >>> Properties are ignored if passed as a Java Property. > >>> In detail, I could verify that the properties > >> "jdk.tls.ephemeralDHKeySize" > >>> and "jdk.tls.namedGroups" are ignored, when the used Java version is 21 > >> or > >>> 25. The properties are however used with Java 17. I tested this with > >> Tomcat > >>> 11.0.18. > >>> Additionally, I tested Java 25 with Tomcat 11.0.11. This is the release > >>> before the aforementioned bug, and in that version the properties are > >> still > >>> used. > >>> > >>> I guess that this is a bug, because in default catalina.sh file, > >>> "-Djdk.tls.ephemeralDHKeySize=2048" is still set as a Java option, but > >> this > >>> has no effect starting with Tomcat 11.0.12 and Java 21 or newer. In > this > >>> scenario, Tomcat offers ffdhe2024 through ffdhe8192, whereas with > 11.0.11 > >>> only ffdhe2024 is offered (as expected). > >>> > >>> It would be highly appreciated if my assumption is correct, that this > is > >>> indeed a bug, and if I should create a bug report for that. > >> > > For jdk.tls.namedGroups you should be using the new configuration. For > >> jdk.tls.ephemeralDHKeySize I'm not sure, I don't think this is so > >> useful anymore. > >> > > I forgot to mention this in my first post, but I'm actually using the > > embedded tomcat in a spring boot application. I only tested it with a > plain > > tomcat to eliminate possible side effects from the spring boot > > bootstrapping. As far as I can tell, I would have to create the connector > > manually to set the namedGroups in the SSLHostConfig, because spring boot > > does not provide a way to pass such a property by itself. > > Also, the tomcat documentation or changelog does not mention that with > the > > 10.0.12 release it is no longer possible to use the JSSE properties. > > > > To me, this still seems like a bug that I would like to see resolved, so > > that it is possible again to use the JSSE properties to configure the > JSSE > > provider. > > I'm curious, what value of jdk.tls.ephemeralDHKeySize are you attempting > to use? > > I previously set "-Djdk.tls.ephemeralDHKeySize=3072" and "-Djdk.tls.namedGroups=secp521r1,secp384r1,secp256r1" to be (more) compliant with some regulatory TLS requirements, which was no longer working after upgrading from spring boot 3 and Java 17 to spring boot 4 and Java 25. The requirements are set by the German Federal Office for Information Security.
