In SSL (Secure Sockets Layer) (https:) secure communications, the two ends must decide on a shared secret key without having arranged one in advance. The original method for doing that was called Diffie-Hellman. Alternatives include:
By default, Java no longer supports Diffie-Hellman. This means SSL will fail on sites that don’t support some alternative that Java supports. In theory, you can patch Java to make it work. I have not had success. The way I deal with it is to use Excelsior Jet which uses its own SSL implementation that supports Diffie-Hellmen. To enable it, you can make various patches:
file by changing the jdk.tls.disabledAlgorithms property.
# Insert this code into java.security to turn Diffie Hellman back on jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 jdk.tls.disabledAlgorithms=SSLv3, RC4 jdk.tls.legacyAlgorithms= \ K_NULL, C_NULL, M_NULL, \ RSA_EXPORT, \ RC4_128, RC4_40, DES_CBC, DES40_CBC
You can also adjust:
// increase limit of Diffie-Hellman key size to 1024 or 2048 System.setProperty( "jdk.tls.ephemeralDHKeySize", "2048" );
Java 1.8 now supports Diffie-Hellman 2048-bit MODP, when enabled. It used to support only 512 through 1024 bit.
Diffie-Helman will fail when the remote site demands a key bigger than 2048 bits. In that case, you can compile with Jet which supports larger keys, or use BouncyCastle.
Diffie-Hellman also uses SHA digests which are usually 128, 256 or 384 bits long.
This page is posted
Optional Replicator mirror
Please read the feedback from other visitors, or send your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.
Your face IP:[220.127.116.11]
You are visitor number|