Am Sat, 23 May 2015 22:16:16 +0800 schrieb Xuelei Fan <xuelei....@oracle.com>:
> I did not get your ideas in the previous mail. > "jdk.tls.disabledAlgorithms" is expected to work to disable weak DH > keys (for example, ""DHE keySize < 768"). Can you describe your > concern more? This is exactly what I want to do. In order for a client to protect against a Logjam attack it has to reject DHE groups with a prime smaller than a safe size. This is at least 768 bit but more security sensitive installation might want to restrict >1024 or even >2048 bit as well. Unfortiunatelly Java Clients accept 512bit (even when they do not offer export grade ciphers). So a minimum fix would be to only accept 512bit if it was offering export crypto. However making the minimum configurable would be even better. The current mechanism to restrict ciphers by key length does however not work, it seems. I suspect it only works for explicitely geenrated DH parameters but not received DHE groups. I searched the ClientHandshaker for usages of algorithmConstraints, and it does not use it for the DHE part. It only question KEY_AGREEMENT for cipher suite selection. (But I am not so famiiar with the code, maybe you can point me to a place where the DHE size would be validated). Thinking about it, it might be possible to register an own DiffieHellmann provider to enforce a limit, hm. Gruss Bernd
