fwiw IME Java 1.7 prior to very recent updates is similarly affected,
but you seem to have a good gasp of this issue so I will defer to your
superior knowledge here..
On 4/5/2015 11:54 AM, Reindl Harald wrote:
Am 01.04.2015 um 19:45 schrieb David Boreham:
There are concerns that the parameter size should now be larger than was
historically typical (2048-bit vs 1024-bit). However, there is no
mechanism in the protocol to negotiate the DHE parameter size.
Furthermore there are clients fairly commonly encountered (e.g. Java
JSSE older than very recent releases) that do not accept a 2048-bit DHE
parameter from a server, and do not act gracefully as a result. For
these reasons it seems that DHE is normally best disabled on the server
wrong justification, that affects Java6 which don't support SNI and
hence is anyways out of the game when it comes to ATS, all other known
clients supporting DHE while not ECDHE are happy with a 2048 prime
Java 6u45 No SNI 2 Client does not support DH parameters > 1024 bits
