JDK-8072452 : Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 8u31,9
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: windows_7
  • CPU: x86_64
  • Submitted: 2015-02-01
  • Updated: 2018-03-21
  • Resolved: 2016-04-15
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 JDK 8 JDK 9 Other
6u181Fixed 7u171Fixed 8u161Fixed 9 b115Fixed openjdk7uFixed
Related Reports
Blocks :  
Blocks :  
Duplicate :  
Duplicate :  
Duplicate :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8152732 :  
Description
A DESCRIPTION OF THE REQUEST :
Lots of Webservers have SSL Certificates with AES 128 and Diffie Hellmann Keys with more than 2048 Bits. When i try to connect to one of these servers with Java i became an Error that says:"Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive)". To be more dynamic for the future please remove the maximum prime size and make it unlimited.

JUSTIFICATION :
To open a secure connection to an webserver via https its necessary to use SSL Certificates with DH-Keys which has an prime size bigger than 2048.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Unlimited maximum prime size.
ACTUAL -
The prime size has an maximum of 2048.


Comments
HTTP/2 has been released as RFC 7540.
20-05-2015

Please also update the limitation in JSSE. sun/security/ssl/ServerHandshaker.java ================ customizedDHKeySize = Integer.parseUnsignedInt(property); if (customizedDHKeySize < 1024 || customizedDHKeySize > 2048) { throw new IllegalArgumentException( "Customized DH key size should be positive integer " + "between 1024 and 2048 bits, inclusive"); }
20-05-2015

Raising priority to P2 since this is definitely needed for JDK 9.
13-05-2015

HTTP/2 (soon to be released as RFC 7540) requires 4096 DHE keys, so this will need to be addressed in JDK 9. Both SunPKCS11 and SunJCE will need to be updated.
11-05-2015

See also a related thread on security-dev: http://mail.openjdk.java.net/pipermail/security-dev/2015-March/011919.html
27-03-2015

Seems like we should at least consider supporting up to 4096 bit DH keys, so accepting this.
05-02-2015

This is one for the Security dev team to evaluate
04-02-2015