Login/Register
Does JDK 1.8 support Cipher suites with Diffie-Hellman (DH) keys of size 4096 bits
Asked Answered
ssljava-8apache-httpclient-4.xdiffie-hellman
E

1

7

I want to know if JDK 1.8 supports DH key length of 4096 bits.

Everywhere I searched, I found that jdk.tls.ephemeralDHKeySize can accept only between 1024 and 2048 bits.

I have to connect to a site which supports

"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 4096 bits (p: 512, g: 1, Ys: 512)".

But I am getting

"Could not generate DH keypair" Exception.

EDIT:

Adding a bit additional info,

I am using Apache httpclient-4.2.5 for connecting to the site. The server also supports

"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) - 4096 bits".

When I use JDK 1.8 and try to connect the cipher suite is getting selected by the Server but JDK 1.8 is supporting only 2048 bits and my connection is failing.

EDIT:

Bouncy castle can be used as a workaround to support 4096 bits. https://bugs.java.com/bugdatabase/view_bug?bug_id=6521495

Embankment answered 20/4, 2015 at 10:47 Comment(2)
Not sure it this is really necessary in this case. But when using cryptography which extra large keys it is usually a good idea to install the Unlimited Strength Java Cryptography Extension Policy Files into the JRE.Innate
Thanks @Robert! I have installed Unlimited Strength JCE too, still getting the same error. Could you please elaborate on why it is not necessary so that I can find out where I am going wrong.Embankment
O
0

Apparently it works on Windows and OS X, but not on Linux. Don't ask why, all I know is Windows and OS X clients can connect via Java to servers with 4096 key size while Linux clients can't.

https://bugzilla.redhat.com/show_bug.cgi?id=1163501

It's not even fixed in Fedora yet, so it may take quite a while before it makes it into CentOS/RHEL.

Oxycephaly answered 28/4, 2015 at 21:58 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.