Am Di., 17. Feb. 2026 um 16:02 Uhr schrieb Rémy Maucherat <[email protected]>:
> On Tue, Feb 17, 2026 at 3:39 PM Benny Prange > <[email protected]> wrote: > > > > Am Di., 17. Feb. 2026 um 15:14 Uhr schrieb Rémy Maucherat < > [email protected]>: > > > > > On Tue, Feb 17, 2026 at 2:38 PM Benny Prange > > > <[email protected]> wrote: > > > > > > > > Hi there, > > > > > > > > It seems that with the introduction of > > > > https://bz.apache.org/bugzilla/show_bug.cgi?id=69800, some Java JSSE > > > > Properties are ignored if passed as a Java Property. > > > > In detail, I could verify that the properties > > > "jdk.tls.ephemeralDHKeySize" > > > > and "jdk.tls.namedGroups" are ignored, when the used Java version is > 21 > > > or > > > > 25. The properties are however used with Java 17. I tested this with > > > Tomcat > > > > 11.0.18. > > > > Additionally, I tested Java 25 with Tomcat 11.0.11. This is the > release > > > > before the aforementioned bug, and in that version the properties are > > > still > > > > used. > > > > > > > > I guess that this is a bug, because in default catalina.sh file, > > > > "-Djdk.tls.ephemeralDHKeySize=2048" is still set as a Java option, > but > > > this > > > > has no effect starting with Tomcat 11.0.12 and Java 21 or newer. In > this > > > > scenario, Tomcat offers ffdhe2024 through ffdhe8192, whereas with > 11.0.11 > > > > only ffdhe2024 is offered (as expected). > > > > > > > > It would be highly appreciated if my assumption is correct, that > this is > > > > indeed a bug, and if I should create a bug report for that. > > > > > For jdk.tls.namedGroups you should be using the new configuration. For > > > jdk.tls.ephemeralDHKeySize I'm not sure, I don't think this is so > > > useful anymore. > > > > > I forgot to mention this in my first post, but I'm actually using the > > embedded tomcat in a spring boot application. I only tested it with a > plain > > tomcat to eliminate possible side effects from the spring boot > > bootstrapping. As far as I can tell, I would have to create the connector > > manually to set the namedGroups in the SSLHostConfig, because spring boot > > does not provide a way to pass such a property by itself. > > Also, the tomcat documentation or changelog does not mention that with > the > > 10.0.12 release it is no longer possible to use the JSSE properties. > > > > To me, this still seems like a bug that I would like to see resolved, so > > that it is possible again to use the JSSE properties to configure the > JSSE > > provider. > > Ok, some of the other fields are defaulting to the relevant system > property, so why not. > > Rémy > > Happy to hear that, thanks a lot. Best regards, Benny
