Am Di., 17. Feb. 2026 um 15:14 Uhr schrieb Rémy Maucherat <[email protected]>:
> On Tue, Feb 17, 2026 at 2:38 PM Benny Prange > <[email protected]> wrote: > > > > Hi there, > > > > It seems that with the introduction of > > https://bz.apache.org/bugzilla/show_bug.cgi?id=69800, some Java JSSE > > Properties are ignored if passed as a Java Property. > > In detail, I could verify that the properties > "jdk.tls.ephemeralDHKeySize" > > and "jdk.tls.namedGroups" are ignored, when the used Java version is 21 > or > > 25. The properties are however used with Java 17. I tested this with > Tomcat > > 11.0.18. > > Additionally, I tested Java 25 with Tomcat 11.0.11. This is the release > > before the aforementioned bug, and in that version the properties are > still > > used. > > > > I guess that this is a bug, because in default catalina.sh file, > > "-Djdk.tls.ephemeralDHKeySize=2048" is still set as a Java option, but > this > > has no effect starting with Tomcat 11.0.12 and Java 21 or newer. In this > > scenario, Tomcat offers ffdhe2024 through ffdhe8192, whereas with 11.0.11 > > only ffdhe2024 is offered (as expected). > > > > It would be highly appreciated if my assumption is correct, that this is > > indeed a bug, and if I should create a bug report for that. > For jdk.tls.namedGroups you should be using the new configuration. For > jdk.tls.ephemeralDHKeySize I'm not sure, I don't think this is so > useful anymore. > I forgot to mention this in my first post, but I'm actually using the embedded tomcat in a spring boot application. I only tested it with a plain tomcat to eliminate possible side effects from the spring boot bootstrapping. As far as I can tell, I would have to create the connector manually to set the namedGroups in the SSLHostConfig, because spring boot does not provide a way to pass such a property by itself. Also, the tomcat documentation or changelog does not mention that with the 10.0.12 release it is no longer possible to use the JSSE properties. To me, this still seems like a bug that I would like to see resolved, so that it is possible again to use the JSSE properties to configure the JSSE provider. > > Rémy > > > Thanks and best regards, > > Benny > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
