Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8302100

Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit

    XMLWordPrintable

Details

    • behavioral
    • low
    • Hide
      There may have been some concern in the past that some TLS clients may not support DH keys higher than 1024 bits, but this should now be very low risk. Most leading web browsers have already deprecated the TLS_DHE suites so this should not be an issue. My testing shows no issues in the latest updates of JDK 6u and up, or OpenSSL 1.0.2 or later. JDK 1.5 was the last release that did not support DH keys greater than 1024-bits but that is a legacy release that has been unsupported for many years now.

      As a workaround, users can revert to the previous size by setting the "jdk.tls.ephemeralDHKeySize" system property to 1024 (at their own risk).
      Show
      There may have been some concern in the past that some TLS clients may not support DH keys higher than 1024 bits, but this should now be very low risk. Most leading web browsers have already deprecated the TLS_DHE suites so this should not be an issue. My testing shows no issues in the latest updates of JDK 6u and up, or OpenSSL 1.0.2 or later. JDK 1.5 was the last release that did not support DH keys greater than 1024-bits but that is a legacy release that has been unsupported for many years now. As a workaround, users can revert to the previous size by setting the "jdk.tls.ephemeralDHKeySize" system property to 1024 (at their own risk).
    • System or security property, Other
    • JDK

    Description

      Summary

      Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit.

      Problem

      The JDK implementation of TLS 1.2 uses a DH keysize of 1024 bits (chosen by the server) when a TLS_DHE cipher suite is negotiated and either the client or server does not support FFDHE (which can negotiate a stronger keysize) or the jdk.tls.ephemeralDHKeySize property is not set to a different keysize.

      Although negotiating a 1024-bit DH key is an uncommon case when clients and servers are configured properly, it can still occur. 1024-bit DH keys are known to be weak and are no longer recommended, thus we should increase the size.

      TLS 1.3 is not affected as the minimum DH group size is 2048 bits.

      Solution

      Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit.

      Specification

      The default value for the jdk.tls.ephemeralDHKeySize property is currently documented in Table 8.3 of the JSSE Reference Guide: https://docs.oracle.com/en/java/javase/19/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-A41282C3-19A3-400A-A40F-86F4DA22ABA9. The default value will be changed from 1024 to 2048.

      We could document this property and the default in the javadocs, however that should ideally be done as a more general task of documenting all system properties applicable to TLS (see https://bugs.openjdk.org/browse/JDK-8249685).

      Attachments

        Issue Links

          csr of

          Enhancement - null JDK-8301700 Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit

          • P3 - Major loss of function.
          • Resolved

          Activity

            People

              mullan Sean Mullan
              mullan Sean Mullan
              Xuelei Fan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: