JDK-8302100 : Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 7-pool,8-pool,11-pool,17-pool,20-pool,21
  • Submitted: 2023-02-08
  • Updated: 2023-02-14
  • Resolved: 2023-02-14
Related Reports
CSR :  
JDK-8301700 - Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit
Description
Summary
-------

Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit.

Problem
-------

The JDK implementation of TLS 1.2 uses a DH keysize of 1024 bits (chosen by the server) when a TLS_DHE cipher suite is negotiated and either the client or server does not support FFDHE (which can negotiate a stronger keysize) or the `jdk.tls.ephemeralDHKeySize` property is not set to a different keysize.

Although negotiating a 1024-bit DH key is an uncommon case when clients and servers are configured properly, it can still occur. 1024-bit DH keys are known to be weak and are no longer recommended, thus we should increase the size.

TLS 1.3 is not affected as the minimum DH group size is 2048 bits.

Solution
--------

Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit. 

Specification
-------------

The default value for the `jdk.tls.ephemeralDHKeySize` property is currently documented in Table 8.3 of the JSSE Reference Guide: https://docs.oracle.com/en/java/javase/19/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-A41282C3-19A3-400A-A40F-86F4DA22ABA9. The default value will be changed from 1024 to 2048.

We could document this property and the default in the javadocs, however that should ideally be done as a more general task of documenting all system properties applicable to TLS (see https://bugs.openjdk.org/browse/JDK-8249685).
Comments
Moving to Approved.
14-02-2023