Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8302100

Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit

XMLWordPrintable

    • behavioral
    • low
    • Hide
      There may have been some concern in the past that some TLS clients may not support DH keys higher than 1024 bits, but this should now be very low risk. Most leading web browsers have already deprecated the TLS_DHE suites so this should not be an issue. My testing shows no issues in the latest updates of JDK 6u and up, or OpenSSL 1.0.2 or later. JDK 1.5 was the last release that did not support DH keys greater than 1024-bits but that is a legacy release that has been unsupported for many years now.

      As a workaround, users can revert to the previous size by setting the "jdk.tls.ephemeralDHKeySize" system property to 1024 (at their own risk).
      Show
      There may have been some concern in the past that some TLS clients may not support DH keys higher than 1024 bits, but this should now be very low risk. Most leading web browsers have already deprecated the TLS_DHE suites so this should not be an issue. My testing shows no issues in the latest updates of JDK 6u and up, or OpenSSL 1.0.2 or later. JDK 1.5 was the last release that did not support DH keys greater than 1024-bits but that is a legacy release that has been unsupported for many years now. As a workaround, users can revert to the previous size by setting the "jdk.tls.ephemeralDHKeySize" system property to 1024 (at their own risk).
    • System or security property, Other
    • JDK

      Summary

      Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit.

      Problem

      The JDK implementation of TLS 1.2 uses a DH keysize of 1024 bits (chosen by the server) when a TLS_DHE cipher suite is negotiated and either the client or server does not support FFDHE (which can negotiate a stronger keysize) or the jdk.tls.ephemeralDHKeySize property is not set to a different keysize.

      Although negotiating a 1024-bit DH key is an uncommon case when clients and servers are configured properly, it can still occur. 1024-bit DH keys are known to be weak and are no longer recommended, thus we should increase the size.

      TLS 1.3 is not affected as the minimum DH group size is 2048 bits.

      Solution

      Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit.

      Specification

      The default value for the jdk.tls.ephemeralDHKeySize property is currently documented in Table 8.3 of the JSSE Reference Guide: https://docs.oracle.com/en/java/javase/19/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-A41282C3-19A3-400A-A40F-86F4DA22ABA9. The default value will be changed from 1024 to 2048.

      We could document this property and the default in the javadocs, however that should ideally be done as a more general task of documenting all system properties applicable to TLS (see https://bugs.openjdk.org/browse/JDK-8249685).

            mullan Sean Mullan
            mullan Sean Mullan
            Xuelei Fan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: