Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

DHA with more than 1024 key size and Java still works

Daniel Nashed  6 April 2015 22:58:19
As posted before Java 6 and 7 cannot handle DHE key sizes above 1024 bit.
The work-around was to limit the DHE key size via notes.ini parameter SSL_DH_KEYSIZE=1024.
But this reduced the key size for all other clients that used DHE as well.

There is another idea who to work-around this limitation.
Java does only support the following DHE cipher:

33 - DHE_RSA_WITH_AES_128_CBC_SHA

This is the weakest DHE cipher supported by Domino. If we disable this cipher, Java will not use DHE any more and we are not limited by the DHE 1024 bit key-size that is the maximum size that Java supports.

Disabling this cipher results in the following ciphers to be used. for Java For Java 8 a different DHE cipher is implemented and the 1024 does not apply for Java 8.

Java 6u45          TLS 1.0         TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   No FS         128
Java 7u25         TLS 1.0         TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   No FS         128

Java 8u31         TLS 1.2         TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   FS         128


This sounds like a good work-around for the Java DHE key-size limitation.

The resulting cipher spec for DHE with all other recommended ciphers enabled is the following:

SSLCIPHERSPEC=9D9C3D3C352F0A39676B9E9F

For more details check my previous blog posts.

-- Daniel


Comments

1Declan Lynch  16.04.2015 21:59:03  DHA with more than 1024 key size and Java still works

This also fixes issues with IBM Connections Mail plugin when pointing to a Domino server.


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]