-
Enhancement
-
Resolution: Delivered
-
P4
-
None
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8318459 | 21.0.2 | Raymond Gallardo | P4 | Resolved | Delivered |
The JSSE guide does not explain in enough detail how FFDHE and the jsse.enableFFDHE system property affects DH key exchange when other properties are set such as the jdk.tls.ephemeralDHKeySize system property.
Proposal is to add the following paragraph as the 2nd paragraph of https://docs.oracle.com/en/java/javase/21/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-D9B216E8-3EFC-4882-B76E-17A87D8F2F9D :
Unless the jdk.tls.ephemeralDHKeySize system property is set to "legacy",
the SunJSSE implementation will first try to negotiate a common DH group
using FFDHE, which is a TLS extension defined by RFC 7919.
If a group can be negotiated, the size defined by that group
will be used. Otherwise,the implementation will fallback to using a keysize
as described below. FFDHE is enabled by default, but
can be disabled by setting the system property jsse.enableDHE to "false".
Proposal is to add the following paragraph as the 2nd paragraph of https://docs.oracle.com/en/java/javase/21/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-D9B216E8-3EFC-4882-B76E-17A87D8F2F9D :
Unless the jdk.tls.ephemeralDHKeySize system property is set to "legacy",
the SunJSSE implementation will first try to negotiate a common DH group
using FFDHE, which is a TLS extension defined by RFC 7919.
If a group can be negotiated, the size defined by that group
will be used. Otherwise,the implementation will fallback to using a keysize
as described below. FFDHE is enabled by default, but
can be disabled by setting the system property jsse.enableDHE to "false".
- backported by
-
JDK-8318459 Incomplete JSSE docs for FFDHE
-
- Resolved
-
- relates to
-
-
- Resolved
-
-
JDK-8297228 Out-of-date docs for jdk.tls.ephemeralKeySize property
-
- Resolved
-
-
-
- Resolved
-