Am Mi., 18. Feb. 2026 um 14:18 Uhr schrieb Rémy Maucherat <[email protected]>:
> On Tue, Feb 17, 2026 at 2:38 PM Benny Prange > <[email protected]> wrote: > > > > Hi there, > > > > It seems that with the introduction of > > https://bz.apache.org/bugzilla/show_bug.cgi?id=69800, some Java JSSE > > Properties are ignored if passed as a Java Property. > > In detail, I could verify that the properties > "jdk.tls.ephemeralDHKeySize" > > and "jdk.tls.namedGroups" are ignored, when the used Java version is 21 > or > > 25. The properties are however used with Java 17. I tested this with > Tomcat > > 11.0.18. > > Additionally, I tested Java 25 with Tomcat 11.0.11. This is the release > > before the aforementioned bug, and in that version the properties are > still > > used. > > > > I guess that this is a bug, because in default catalina.sh file, > > "-Djdk.tls.ephemeralDHKeySize=2048" is still set as a Java option, but > this > > has no effect starting with Tomcat 11.0.12 and Java 21 or newer. In this > > scenario, Tomcat offers ffdhe2024 through ffdhe8192, whereas with 11.0.11 > > only ffdhe2024 is offered (as expected). > > > > It would be highly appreciated if my assumption is correct, that this is > > indeed a bug, and if I should create a bug report for that. > > I added back support for "jdk.tls.namedGroups" as it is done for other > system properties, which are used to initialize the default value. > I don't see any direct impact of any updates for > "jdk.tls.ephemeralDHKeySize" however, so I am not sure. In the Java > code, this is not used to set something that would be overridden, > unlike the group configuration, and no relevant changes to our JSSE > code have been made. > > Rémy > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > I just tested some different combinations of "jdk.tls.namedGroups" and "jdk.tls.ephemeralDHKeySize", and I don't see any difference between Tomcat 11.0.11 and Tomcat 11.0.18, so I would agree that there is no need for further changes. I will test the SNAPSHOT build as soon as it comes available in the repository. Thanks again and best regards, Benny
