Am Sat, 23 May 2015 08:30:26 +0800 schrieb Xuelei Fan <xuelei....@oracle.com>:
> Please refer to the "Customizing Size of Ephemeral Diffie-Hellman > Keys" section of JSSE Reference Guide. > > http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html Thanks Xulei, but I think this does not address the minimum accepted size of an client SSLSocket (at least I could not see that in the description). It only allows to configure the server generated groups in the ServerKeyExchange. When setting jdk.tls.ephemeralDHKeySize=2048 I still can connect to https://dhe512.zmap.io/ Gruss Bernd BTW in Regards to the Server side: That document should mention that the parameter group is generated randomly on first use (matching DSA restrictions). It is a good thing there are no standard primes used, it would be better if they are constructed not specifically for DSA (as mentioned in the Logjam paper). I can imagine that in the future for higher security mutual agreed parameter groups become more important, so let me point to http://bugs.java.com/view_bug.do?bug_id=4641806 as well.
