You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The default Diffie-Hellman key length in Java is still 1024. Reading https://weakdh.org/ you will find:
If you’re a sysadmin or developer …
Make sure any TLS libraries you use are up-to-date, that servers you maintain use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit.
Wanted
We mention this in our SecHub and PDS documentation AND we set a default inside application.yaml for SecHub Server AND for PDS a default value of 2048.
Technical information/solution
Starting with JDK8 it became possible to set DH key length greater than 1024, by setting system property jdk.tls.ephemeralDHKeySize to wanted key size.
The text was updated successfully, but these errors were encountered:
de-jcup
changed the title
Either document Diffie-Hellman key increase or set a default to 2048
Document Diffie-Hellman key increase and set default to 2048
Jul 6, 2021
Setting simply jdk.tls.ephemeralDHKeySizeinside application.yaml is unfortunately not the solution because it is not automatically injected by spring boot as system property.
So we will introduce
SecHubSystemPropertyInjector which handles spring boot value sechub.security.diffiehellman.length
PDSSystemPropertyInjector which handles spring boot value pds.security.diffiehellman.length
Values will be set as usual inside corresponding application.yaml and then injected automatically as system property jdk.tls.ephemeralDHKeySize by the injector.
(If there is a need to inject later another Java System Property, we can do this in the mentioned 2 classes for
SecHub and PDS as well, so we have a central point)
- introduce SystemPropertyInjector classes and
special keys for PDS and SecHub server, so configurable
by `application.yaml` files
- `application.yaml` files do now contain 2048 as default value
- documentation will be generated and points to issue at github
for details
Situation
The default Diffie-Hellman key length in Java is still 1024. Reading https://weakdh.org/ you will find:
Wanted
We mention this in our SecHub and PDS documentation AND we set a default inside
application.yaml
for SecHub Server AND for PDS a default value of2048
.Technical information/solution
Starting with JDK8 it became possible to set DH key length greater than 1024, by setting system property
jdk.tls.ephemeralDHKeySize
to wanted key size.Links:
The text was updated successfully, but these errors were encountered: