Diffie-Hellman : Java Glossary



In SSL (Secure Sockets Layer) (https:) secure communications, the two ends must decide on a shared secret key without having arranged one in advance. The original method for doing that was called Diffie-Hellman. Alternatives include:


By default, Java no longer supports Diffie-Hellman. This means SSL will fail on sites that don’t support some alternative that Java supports. In theory, you can patch Java to make it work. I have not had success. The way I deal with it is to use Excelsior Jet which uses its own SSL implementation that supports Diffie-Hellmen. To enable it, you can make various patches:

java.security :

file by changing the jdk.tls.disabledAlgorithms property.

# Insert this code into java.security to turn Diffie Hellman back on

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

jdk.tls.disabledAlgorithms=SSLv3, RC4

jdk.tls.legacyAlgorithms= \
        K_NULL, C_NULL, M_NULL, \
        RSA_EXPORT, \
        RC4_128, RC4_40, DES_CBC, DES40_CBC

You can also adjust:

// increase limit of Diffie-Hellman key size to 1024 or 2048
System.setProperty( "jdk.tls.ephemeralDHKeySize", "2048" );

or similar.

Java 1.8 now supports Diffie-Hellman 2048-bit MODP, when enabled. It used to support only 512 through 1024 bit.

Diffie-Helman will fail when the remote site demands a key bigger than 2048 bits. In that case, you can compile with Jet which supports larger keys, or use BouncyCastle.

Diffie-Hellman also uses SHA digests which are usually 128, 256 or 384 bits long.

This page is posted
on the web at:


Optional Replicator mirror
of mindprod.com
on local hard disk J:

Canadian Mind Products
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number