Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8072452

Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits

    Details

    • Subcomponent:
    • Resolved In Build:
      b115
    • CPU:
      x86_64
    • OS:
      windows_7
    • Verification:
      Verified

      Backports

        Description

        A DESCRIPTION OF THE REQUEST :
        Lots of Webservers have SSL Certificates with AES 128 and Diffie Hellmann Keys with more than 2048 Bits. When i try to connect to one of these servers with Java i became an Error that says:"Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive)". To be more dynamic for the future please remove the maximum prime size and make it unlimited.

        JUSTIFICATION :
        To open a secure connection to an webserver via https its necessary to use SSL Certificates with DH-Keys which has an prime size bigger than 2048.

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Unlimited maximum prime size.
        ACTUAL -
        The prime size has an maximum of 2048.

          Issue Links

            Activity

            Hide
            coffeys Sean Coffey added a comment -
            This is one for the Security dev team to evaluate
            Show
            coffeys Sean Coffey added a comment - This is one for the Security dev team to evaluate
            Hide
            mullan Sean Mullan added a comment -
            Seems like we should at least consider supporting up to 4096 bit DH keys, so accepting this.
            Show
            mullan Sean Mullan added a comment - Seems like we should at least consider supporting up to 4096 bit DH keys, so accepting this.
            Hide
            mullan Sean Mullan added a comment -
            Show
            mullan Sean Mullan added a comment - See also a related thread on security-dev: http://mail.openjdk.java.net/pipermail/security-dev/2015-March/011919.html
            Hide
            wetmore Bradford Wetmore added a comment -
            HTTP/2 (soon to be released as RFC 7540) requires 4096 DHE keys, so this will need to be addressed in JDK 9.

            Both SunPKCS11 and SunJCE will need to be updated.
            Show
            wetmore Bradford Wetmore added a comment - HTTP/2 (soon to be released as RFC 7540) requires 4096 DHE keys, so this will need to be addressed in JDK 9. Both SunPKCS11 and SunJCE will need to be updated.
            Hide
            mullan Sean Mullan added a comment -
            Raising priority to P2 since this is definitely needed for JDK 9.
            Show
            mullan Sean Mullan added a comment - Raising priority to P2 since this is definitely needed for JDK 9.
            Hide
            xuelei Xue-Lei Fan added a comment - - edited
            Please also update the limitation in JSSE.

            sun/security/ssl/ServerHandshaker.java
            ================
            customizedDHKeySize = Integer.parseUnsignedInt(property);
            if (customizedDHKeySize < 1024 || customizedDHKeySize > 2048) {
                throw new IllegalArgumentException(
                        "Customized DH key size should be positive integer " +
                        "between 1024 and 2048 bits, inclusive");
            }
            Show
            xuelei Xue-Lei Fan added a comment - - edited Please also update the limitation in JSSE. sun/security/ssl/ServerHandshaker.java ================ customizedDHKeySize = Integer.parseUnsignedInt(property); if (customizedDHKeySize < 1024 || customizedDHKeySize > 2048) {     throw new IllegalArgumentException(             "Customized DH key size should be positive integer " +             "between 1024 and 2048 bits, inclusive"); }
            Hide
            wetmore Bradford Wetmore added a comment -
            HTTP/2 has been released as RFC 7540.
            Show
            wetmore Bradford Wetmore added a comment - HTTP/2 has been released as RFC 7540.
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/0bb2dfd0852c
            User: xuelei
            Date: 2016-04-15 11:09:53 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/0bb2dfd0852c User: xuelei Date: 2016-04-15 11:09:53 +0000
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/0bb2dfd0852c
            User: lana
            Date: 2016-04-20 17:52:51 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/0bb2dfd0852c User: lana Date: 2016-04-20 17:52:51 +0000

              People

              • Assignee:
                xuelei Xue-Lei Fan
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: