mirror of
https://github.com/openjdk/jdk.git
synced 2025-08-28 15:24:43 +02:00
8301700: Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit
Reviewed-by: xuelei
This commit is contained in:
Sean Mullan
parent
52388179e6
commit
26b111d714
2 changed files with 20 additions and 29 deletions
|
|
@ -326,45 +326,36 @@ final class DHKeyExchange {
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* 768 bits ephemeral DH private keys were used to be used in
|
* 768 bit ephemeral DH private keys used to be used in
|
||||||
* ServerKeyExchange except that exportable ciphers max out at 512
|
* ServerKeyExchange except that exportable ciphers max out at 512
|
||||||
* bits modulus values. We still adhere to this behavior in legacy
|
* bit modulus values. We still adhere to this behavior in legacy
|
||||||
* mode (system property "jdk.tls.ephemeralDHKeySize" is defined
|
* mode (system property "jdk.tls.ephemeralDHKeySize" is defined
|
||||||
* as "legacy").
|
* as "legacy").
|
||||||
*
|
*
|
||||||
* Old JDK (JDK 7 and previous) releases don't support DH keys
|
* Only very old JDK releases don't support DH keys bigger than
|
||||||
* bigger than 1024 bits. We have to consider the compatibility
|
* 1024 bits (JDK 1.5 and 6u/7u releases prior to adding support
|
||||||
* requirement. 1024 bits DH key is always used for non-exportable
|
* for DH keys > 1024 bits - see JDK-8062834). A 2048 bit
|
||||||
* cipher suites in default mode (system property
|
* DH key is always used for non-exportable cipher suites in
|
||||||
|
* default mode (when the system property
|
||||||
* "jdk.tls.ephemeralDHKeySize" is not defined).
|
* "jdk.tls.ephemeralDHKeySize" is not defined).
|
||||||
*
|
*
|
||||||
* However, if applications want stronger strength, setting
|
|
||||||
* system property "jdk.tls.ephemeralDHKeySize" to "matched"
|
|
||||||
* is a workaround to use ephemeral DH key which size matches the
|
|
||||||
* corresponding authentication key. For example, if the public key
|
|
||||||
* size of an authentication certificate is 2048 bits, then the
|
|
||||||
* ephemeral DH key size should be 2048 bits accordingly unless
|
|
||||||
* the cipher suite is exportable. This key sizing scheme keeps
|
|
||||||
* the cryptographic strength consistent between authentication
|
|
||||||
* keys and key-exchange keys.
|
|
||||||
*
|
|
||||||
* Applications may also want to customize the ephemeral DH key
|
* Applications may also want to customize the ephemeral DH key
|
||||||
* size to a fixed length for non-exportable cipher suites. This
|
* size to a fixed length for non-exportable cipher suites. This
|
||||||
* can be approached by setting system property
|
* can be done by setting the system property
|
||||||
* "jdk.tls.ephemeralDHKeySize" to a valid positive integer between
|
* "jdk.tls.ephemeralDHKeySize" to a valid positive integer between
|
||||||
* 1024 and 8192 bits, inclusive.
|
* 1024 and 8192 bits, inclusive.
|
||||||
*
|
*
|
||||||
* Note that the minimum acceptable key size is 1024 bits except
|
* Note that the minimum acceptable key size is 2048 bits except
|
||||||
* exportable cipher suites or legacy mode.
|
* for exportable cipher suites or legacy mode.
|
||||||
*
|
*
|
||||||
* Note that per RFC 2246, the key size limit of DH is 512 bits for
|
* Note that per RFC 2246, the key size limit of DH is 512 bits for
|
||||||
* exportable cipher suites. Because of the weakness, exportable
|
* exportable cipher suites. Because of the weakness, exportable
|
||||||
* cipher suites are deprecated since TLS v1.1 and they are not
|
* cipher suites are deprecated since TLS v1.1 and they are not
|
||||||
* enabled by default in Oracle provider. The legacy behavior is
|
* enabled by default in Oracle provider. The legacy behavior is
|
||||||
* reserved and 512 bits DH key is always used for exportable
|
* preserved and a 512 bit DH key is always used for exportable
|
||||||
* cipher suites.
|
* cipher suites.
|
||||||
*/
|
*/
|
||||||
int keySize = exportable ? 512 : 1024; // default mode
|
int keySize = exportable ? 512 : 2048; // default mode
|
||||||
if (!exportable) {
|
if (!exportable) {
|
||||||
if (useLegacyEphemeralDHKeys) { // legacy mode
|
if (useLegacyEphemeralDHKeys) { // legacy mode
|
||||||
keySize = 768;
|
keySize = 768;
|
||||||
|
|
@ -390,7 +381,7 @@ final class DHKeyExchange {
|
||||||
// limit in the future when the compatibility and
|
// limit in the future when the compatibility and
|
||||||
// interoperability impact is limited.
|
// interoperability impact is limited.
|
||||||
keySize = ks <= 1024 ? 1024 : 2048;
|
keySize = ks <= 1024 ? 1024 : 2048;
|
||||||
} // Otherwise, anonymous cipher suites, 1024-bit is used.
|
} // Otherwise, anonymous cipher suites, 2048-bit is used.
|
||||||
} else if (customizedDHKeySize > 0) { // customized mode
|
} else if (customizedDHKeySize > 0) { // customized mode
|
||||||
keySize = customizedDHKeySize;
|
keySize = customizedDHKeySize;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
|
|
@ -28,7 +28,7 @@
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* @test
|
* @test
|
||||||
* @bug 6956398
|
* @bug 6956398 8301700
|
||||||
* @summary make ephemeral DH key match the length of the certificate key
|
* @summary make ephemeral DH key match the length of the certificate key
|
||||||
* @run main/othervm -Djdk.tls.client.enableSessionTicketExtension=false
|
* @run main/othervm -Djdk.tls.client.enableSessionTicketExtension=false
|
||||||
* DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1643 267
|
* DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1643 267
|
||||||
|
|
@ -54,7 +54,7 @@
|
||||||
*
|
*
|
||||||
* @run main/othervm -Djsse.enableFFDHE=false
|
* @run main/othervm -Djsse.enableFFDHE=false
|
||||||
* -Djdk.tls.client.enableSessionTicketExtension=false
|
* -Djdk.tls.client.enableSessionTicketExtension=false
|
||||||
* DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1387 139
|
* DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1643 267
|
||||||
* @run main/othervm -Djsse.enableFFDHE=false
|
* @run main/othervm -Djsse.enableFFDHE=false
|
||||||
* -Djdk.tls.ephemeralDHKeySize=legacy
|
* -Djdk.tls.ephemeralDHKeySize=legacy
|
||||||
* -Djdk.tls.client.enableSessionTicketExtension=false
|
* -Djdk.tls.client.enableSessionTicketExtension=false
|
||||||
|
|
@ -70,7 +70,7 @@
|
||||||
*
|
*
|
||||||
* @run main/othervm -Djsse.enableFFDHE=false
|
* @run main/othervm -Djsse.enableFFDHE=false
|
||||||
* -Djdk.tls.client.enableSessionTicketExtension=false
|
* -Djdk.tls.client.enableSessionTicketExtension=false
|
||||||
* DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 361 139
|
* DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 617 267
|
||||||
* @run main/othervm -Djsse.enableFFDHE=false
|
* @run main/othervm -Djsse.enableFFDHE=false
|
||||||
* -Djdk.tls.client.enableSessionTicketExtension=false
|
* -Djdk.tls.client.enableSessionTicketExtension=false
|
||||||
* -Djdk.tls.ephemeralDHKeySize=legacy
|
* -Djdk.tls.ephemeralDHKeySize=legacy
|
||||||
|
|
@ -78,7 +78,7 @@
|
||||||
* @run main/othervm -Djsse.enableFFDHE=false
|
* @run main/othervm -Djsse.enableFFDHE=false
|
||||||
* -Djdk.tls.client.enableSessionTicketExtension=false
|
* -Djdk.tls.client.enableSessionTicketExtension=false
|
||||||
* -Djdk.tls.ephemeralDHKeySize=matched
|
* -Djdk.tls.ephemeralDHKeySize=matched
|
||||||
* DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 361 139
|
* DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 617 267
|
||||||
* @run main/othervm -Djsse.enableFFDHE=false
|
* @run main/othervm -Djsse.enableFFDHE=false
|
||||||
* -Djdk.tls.client.enableSessionTicketExtension=false
|
* -Djdk.tls.client.enableSessionTicketExtension=false
|
||||||
* -Djdk.tls.ephemeralDHKeySize=1024
|
* -Djdk.tls.ephemeralDHKeySize=1024
|
||||||
|
|
@ -106,7 +106,7 @@
|
||||||
* } dh_public;
|
* } dh_public;
|
||||||
* } ClientDiffieHellmanPublic;
|
* } ClientDiffieHellmanPublic;
|
||||||
*
|
*
|
||||||
* Fomr above structures, it is clear that if the DH key size increasing 128
|
* From the above structures, it is clear that if the DH key size increases 128
|
||||||
* bits (16 bytes), the ServerHello series messages increases 48 bytes
|
* bits (16 bytes), the ServerHello series messages increases 48 bytes
|
||||||
* (becuase dh_p, dh_g and dh_Ys each increase 16 bytes) and ClientKeyExchange
|
* (becuase dh_p, dh_g and dh_Ys each increase 16 bytes) and ClientKeyExchange
|
||||||
* increases 16 bytes (because of the size increasing of dh_Yc).
|
* increases 16 bytes (because of the size increasing of dh_Yc).
|
||||||
|
|
@ -117,7 +117,7 @@
|
||||||
* 512-bit | 1259 bytes | 75 bytes | 233 bytes
|
* 512-bit | 1259 bytes | 75 bytes | 233 bytes
|
||||||
* 768-bit | 1323 bytes | 107 bytes | 297 bytes
|
* 768-bit | 1323 bytes | 107 bytes | 297 bytes
|
||||||
* 1024-bit | 1387 bytes | 139 bytes | 361 bytes
|
* 1024-bit | 1387 bytes | 139 bytes | 361 bytes
|
||||||
* 2048-bit | 1643 bytes | 267 bytes | 361 bytes
|
* 2048-bit | 1643 bytes | 267 bytes | 617 bytes
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import javax.net.ssl.*;
|
import javax.net.ssl.*;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue