JDK-8148912 : Release Note: Improve the default strength of EC in JDK.
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 6u141,7u131,8u121,9
  • Priority: P2
  • Status: Closed
  • Resolution: Delivered
  • Submitted: 2016-02-03
  • Updated: 2017-03-22
  • Resolved: 2017-02-03
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
6u141Resolved 7u131Resolved 8u121Resolved 9Resolved
To improve the default strength of EC cryptography,  EC keys less than 224 bits have been deactivated in certification path processing (via the "jdk.certpath.disabledAlgorithms" Security Property) and SSL/TLS/DTLS connections (via the "jdk.tls.disabledAlgorithms" Security Property) in JDK. Applications can update this restriction in the Security Properties and permit smaller key sizes if really needed (for example, "EC keySize < 192").
EC curves less than 256 bits are removed from the SSL/TLS/DTLS implementation in JDK.  The new System Property, "jdk.tls.namedGroups", defines a list of enabled named curves for EC cipher suites in order of preference.  If an application needs to customize the default enabled EC curves or the curves preference, please update the System Property accordingly.  For example:
    jdk.tls.namedGroups="secp256r1, secp384r1, secp521r1"
Note that the default enabled or customized EC curves follow the algorithm constraints.  For example, the customized EC curves cannot re-activate the disabled EC keys defined by the Java Security Properties.
Important: Note that DTLS is a new feature in JDK 9. Please don't use DTLS in the release note for JDK 8u and previous releases.