BC : Java 7 1024 bit DH

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

BC : Java 7 1024 bit DH

Shiva Ram
Hi,

I have a server Java7u79 which I can't update to Java8 as it breaks other dependencies. Many of my clients are using OpenSSL and they are complaining that they can't establish a connection to my server as OpenSSL is rejects DH key less than 1024 bits. On investigating I found that Java7u79 uses 768bits. I investigated a bit and couldn't find a way to override it in Java7u79 . 

Is it possible to do this in DC  Or is my only option is to upgrade to Java8 ?

Thanks much
Shiva


Reply | Threaded
Open this post in threaded view
|

RE: BC : Java 7 1024 bit DH

Eckenfels. Bernd
The easiest option is to disable DHE, it will still use ECDHE which does not have this problem.

Of course you can try the alternative BCJSSE provider, not sure how mature it is.

Gruss
Bernd
--
http://www.seeburger.com
________________________________________
From: Shiva Ram [[hidden email]]
Sent: Friday, March 10, 2017 03:57
To: [hidden email]
Subject: [dev-crypto] BC : Java 7 1024 bit DH

Hi,

I have a server Java7u79 which I can't update to Java8 as it breaks other dependencies. Many of my clients are using OpenSSL and they are complaining that they can't establish a connection to my server as OpenSSL is rejects DH key less than 1024 bits. On investigating I found that Java7u79 uses 768bits. I investigated a bit and couldn't find a way to override it in Java7u79 .

Is it possible to do this in DC  Or is my only option is to upgrade to Java8 ?

Thanks much
Shiva










SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Reply | Threaded
Open this post in threaded view
|

Re: BC : Java 7 1024 bit DH

Pat0675
In reply to this post by Shiva Ram
Hi,

I don't know if this helps, but Java has a file in JRE /lib/security named
java.security.
In this file is a setting:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

which delimits the DH public key size. Probably you have to adjust this
value.

Regards
Patrick



--
View this message in context: http://bouncy-castle.1462172.n4.nabble.com/BC-Java-7-1024-bit-DH-tp4658571p4658608.html
Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: BC : Java 7 1024 bit DH

Pat0675
In reply to this post by Shiva Ram
Hi,

I don't know if this helps, but Java has a file in JRE /lib/security named
java.security.
In this file is a setting:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

which delimits the DH public key size. Probably you have to adjust this
value.

Regards
Patrick



--
View this message in context: http://bouncy-castle.1462172.n4.nabble.com/BC-Java-7-1024-bit-DH-tp4658571p4658609.html
Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: BC : Java 7 1024 bit DH

Eckenfels. Bernd
Hello,

This is only the minimum length for rejecting in the security Properties. The actual size proposed by Java cannot be changed in Java 7. In Java 8 you can use the System property -Djdk.tls.ephemeralDHKeySize=2048 (and the default changed to 1024).

--
http://www.seeburger.com
________________________________________
From: Pat0675 [[hidden email]]
Sent: Friday, March 31, 2017 14:24
To: [hidden email]
Subject: [dev-crypto] Re: BC : Java 7 1024 bit DH

Hi,

I don't know if this helps, but Java has a file in JRE /lib/security named
java.security.
In this file is a setting:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

which delimits the DH public key size. Probably you have to adjust this
value.

Regards
Patrick



--
View this message in context: http://bouncy-castle.1462172.n4.nabble.com/BC-Java-7-1024-bit-DH-tp4658571p4658609.html
Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.








SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Reply | Threaded
Open this post in threaded view
|

Re: BC : Java 7 1024 bit DH

George Stanchev
So I just wanted to throw a comment and perhaps ask for clarification from people know how DH works. We do inject BC at slot 2, JVM-wide for our app server, I don't know if that makes a difference or not but when we started running with 2048 keysize (via the property mentioned below) our VMs became bogged down and unresponsive when SSL was being used. We had to lower keysize to 1024 to get performance back. Now granted, I know that those VMs (which we spun for QA-ing our product) were probably configured low on CPU resources, but the bottom line, for us was that using larger keysize was putting a big strain on the system. Unfortunately I cannot unbundle BC from our product to test if it is an issue with the library or JSSE in general at those higher keysizes.

So the questions I have is - is it possible BC to be putting those high CPU loads or is it DH (with large key size) in general or JSSE...

George

-----Original Message-----
From: Eckenfels. Bernd [mailto:[hidden email]]
Sent: Friday, March 31, 2017 7:29 AM
To: [hidden email]; [hidden email]
Subject: RE: [dev-crypto] Re: BC : Java 7 1024 bit DH

Hello,

This is only the minimum length for rejecting in the security Properties. The actual size proposed by Java cannot be changed in Java 7. In Java 8 you can use the System property -Djdk.tls.ephemeralDHKeySize=2048 (and the default changed to 1024).

--
http://www.seeburger.com
________________________________________
From: Pat0675 [[hidden email]]
Sent: Friday, March 31, 2017 14:24
To: [hidden email]
Subject: [dev-crypto] Re: BC : Java 7 1024 bit DH

Hi,

I don't know if this helps, but Java has a file in JRE /lib/security named
java.security.
In this file is a setting:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

which delimits the DH public key size. Probably you have to adjust this
value.

Regards
Patrick



--
View this message in context: http://bouncy-castle.1462172.n4.nabble.com/BC-Java-7-1024-bit-DH-tp4658571p4658609.html
Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.








SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Reply | Threaded
Open this post in threaded view
|

Re: BC : Java 7 1024 bit DH

David Hook-3

Are you configuring domain parameters for key generation, or are you
letting the provider generate it's own (which is quite expensive)?

Regards,

David

On 01/04/17 01:06, George Stanchev wrote:

> So I just wanted to throw a comment and perhaps ask for clarification from people know how DH works. We do inject BC at slot 2, JVM-wide for our app server, I don't know if that makes a difference or not but when we started running with 2048 keysize (via the property mentioned below) our VMs became bogged down and unresponsive when SSL was being used. We had to lower keysize to 1024 to get performance back. Now granted, I know that those VMs (which we spun for QA-ing our product) were probably configured low on CPU resources, but the bottom line, for us was that using larger keysize was putting a big strain on the system. Unfortunately I cannot unbundle BC from our product to test if it is an issue with the library or JSSE in general at those higher keysizes.
>
> So the questions I have is - is it possible BC to be putting those high CPU loads or is it DH (with large key size) in general or JSSE...
>
> George
>
> -----Original Message-----
> From: Eckenfels. Bernd [mailto:[hidden email]]
> Sent: Friday, March 31, 2017 7:29 AM
> To: [hidden email]; [hidden email]
> Subject: RE: [dev-crypto] Re: BC : Java 7 1024 bit DH
>
> Hello,
>
> This is only the minimum length for rejecting in the security Properties. The actual size proposed by Java cannot be changed in Java 7. In Java 8 you can use the System property -Djdk.tls.ephemeralDHKeySize=2048 (and the default changed to 1024).
>
> --
> http://www.seeburger.com
> ________________________________________
> From: Pat0675 [[hidden email]]
> Sent: Friday, March 31, 2017 14:24
> To: [hidden email]
> Subject: [dev-crypto] Re: BC : Java 7 1024 bit DH
>
> Hi,
>
> I don't know if this helps, but Java has a file in JRE /lib/security named
> java.security.
> In this file is a setting:
> jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
>
> which delimits the DH public key size. Probably you have to adjust this
> value.
>
> Regards
> Patrick
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/BC-Java-7-1024-bit-DH-tp4658571p4658609.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>


Reply | Threaded
Open this post in threaded view
|

Re: BC : Java 7 1024 bit DH

George Stanchev
We are not configuring the DH parameters. We're using Tomcat via it's JSSE+JCE instead of the OpenSSL backend. Therefore, I guess we are letting the provider generate its own. Does this happen on each SSL session?

-----Original Message-----
From: David Hook [mailto:[hidden email]]
Sent: Friday, March 31, 2017 2:22 PM
To: George Stanchev <[hidden email]>; [hidden email]; [hidden email]; [hidden email]
Subject: Re: [dev-crypto] Re: BC : Java 7 1024 bit DH


Are you configuring domain parameters for key generation, or are you letting the provider generate it's own (which is quite expensive)?

Regards,

David

On 01/04/17 01:06, George Stanchev wrote:

> So I just wanted to throw a comment and perhaps ask for clarification from people know how DH works. We do inject BC at slot 2, JVM-wide for our app server, I don't know if that makes a difference or not but when we started running with 2048 keysize (via the property mentioned below) our VMs became bogged down and unresponsive when SSL was being used. We had to lower keysize to 1024 to get performance back. Now granted, I know that those VMs (which we spun for QA-ing our product) were probably configured low on CPU resources, but the bottom line, for us was that using larger keysize was putting a big strain on the system. Unfortunately I cannot unbundle BC from our product to test if it is an issue with the library or JSSE in general at those higher keysizes.
>
> So the questions I have is - is it possible BC to be putting those high CPU loads or is it DH (with large key size) in general or JSSE...
>
> George
>
> -----Original Message-----
> From: Eckenfels. Bernd [mailto:[hidden email]]
> Sent: Friday, March 31, 2017 7:29 AM
> To: [hidden email]; [hidden email]
> Subject: RE: [dev-crypto] Re: BC : Java 7 1024 bit DH
>
> Hello,
>
> This is only the minimum length for rejecting in the security Properties. The actual size proposed by Java cannot be changed in Java 7. In Java 8 you can use the System property -Djdk.tls.ephemeralDHKeySize=2048 (and the default changed to 1024).
>
> --
> http://www.seeburger.com
> ________________________________________
> From: Pat0675 [[hidden email]]
> Sent: Friday, March 31, 2017 14:24
> To: [hidden email]
> Subject: [dev-crypto] Re: BC : Java 7 1024 bit DH
>
> Hi,
>
> I don't know if this helps, but Java has a file in JRE /lib/security
> named java.security.
> In this file is a setting:
> jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
>
> which delimits the DH public key size. Probably you have to adjust
> this value.
>
> Regards
> Patrick
>
>
>
> --
> View this message in context:
> http://bouncy-castle.1462172.n4.nabble.com/BC-Java-7-1024-bit-DH-tp465
> 8571p4658609.html Sent from the Bouncy Castle - Dev mailing list
> archive at Nabble.com.
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>

Reply | Threaded
Open this post in threaded view
|

Re: BC : Java 7 1024 bit DH

David Hook-3

You'll need to configure them. I think you'll be generating a new set per-exchange otherwise.

Regards,

David

On 01/04/17 07:47, George Stanchev wrote:
We are not configuring the DH parameters. We're using Tomcat via it's JSSE+JCE instead of the OpenSSL backend. Therefore, I guess we are letting the provider generate its own. Does this happen on each SSL session?

-----Original Message-----
From: David Hook [[hidden email]] 
Sent: Friday, March 31, 2017 2:22 PM
To: George Stanchev [hidden email]; [hidden email]; [hidden email]; [hidden email]
Subject: Re: [dev-crypto] Re: BC : Java 7 1024 bit DH


Are you configuring domain parameters for key generation, or are you letting the provider generate it's own (which is quite expensive)?

Regards,

David