Re: [jetty-users] How to use a stronger Diffie Hellman group in Jetty?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] How to use a stronger Diffie Hellman group in Jetty?

From: gouessej@xxxxxxxxx
Date: Sun, 9 Jan 2022 13:03:06 +0100 (CET)
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Thank you very much for your suggestion. Is there a mean of changing that in Jetty without modifying the JRE?

When I run your commandline, it prints nothing on my server. The connection is refused. I'll try to adapt it to make it work, I should probably use another port. This is the script I use to configure my server from scratch:

https://sourceforge.net/p/red-feed-aggregator/code/ci/master/tree/minimal_self_hosting_setup.sh

> Message du 08/01/22 16:14
> De : "Travis Spencer" <travis@xxxxxxxxx>
> A : gouessej@xxxxxxxxx, "JETTY user mailing list" <jetty-users@xxxxxxxxxxx>
> Copie à :
> Objet : Re: [jetty-users] How to use a stronger Diffie Hellman group in Jetty?
>
>

See https://java.com/en/configure_crypto.html#DHAKeySize

>

IINM, you can update $JAVA_HOME/conf/security/java.security (on Java 9+) or $JAVA_HOME/lib/security/java.security (on Java < 9) to have
>

>

DH keySize < 2048

>

in the jdk.tls.disabledAlgorithms security property.
>

>

If I read that weakdh.org web page and the java.com one correctly, I think that should disable weak DH params. To test, I did like this:

>

$ openssl s_client -connect localhost:443 -showcerts -cipher "EDH" < /dev/null 2>&1 | grep "Server Temp Key"
> Server Temp Key: DH, 2048 bits

>

Against my server, even without disabling DH keys < 2048, I still got the above value which IINM means the weakness spoken about on weakdh.org is not an issue.

>

HTH!
>

>

On Fri, Jan 7, 2022 at 10:52 PM <gouessej@xxxxxxxxx> wrote:
>

> Hello
>
> I would like to avoid using common Diffie Hellman primes in order to improve the security during key exchange, I tried to follow these steps:
> https://weakdh.org/sysadmin.html
>
> I know how to exclude some cipher suites:
> https://www.eclipse.org/jetty/javadoc/jetty-11/org/eclipse/jetty/util/ssl/SslContextFactory.html#addExcludeCipherSuites(java.lang.String...)
>
> However, I haven't found a way of telling Jetty to use new DH parameters generated with "openssl dhparam -out dhparams.pem 2048". Where can I cleanly override that?
>
> Best regards.
_______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
>

Follow-Ups:
- Re: [jetty-users] How to use a stronger Diffie Hellman group in Jetty?
  - From: Simone Bordet

Prev by Date: Re: [jetty-users] How to use a stronger Diffie Hellman group in Jetty?
Next by Date: Re: [jetty-users] How to use a stronger Diffie Hellman group in Jetty?
Previous by thread: Re: [jetty-users] How to use a stronger Diffie Hellman group in Jetty?
Next by thread: Re: [jetty-users] How to use a stronger Diffie Hellman group in Jetty?
Index(es):
- Date
- Thread

Breadcrumbs