Over a million developers have joined DZone.

How Java 7 and 8 Handle DHE Keys Differently, and Resolving Errors

Firefox v39.0+ and Chrome v45.0+ may generate an error if "weak" Diffie-Hellman public keys are used. Here's how to resolve the error.

· Java Zone

Microservices! They are everywhere, or at least, the term is. When should you use a microservice architecture? What factors should be considered when making that decision? Do the benefits outweigh the costs? Why is everyone so excited about them, anyway?  Brought to you in partnership with IBM.

Under Java 7 versus 8, Firefox v39.0 + and Chrome v45.0 + may generate an error if "weak" DHE public keys are used for SSL communication in WSO2 products.

To resolve this issue, you have three options:

1.  You need to disable the DHE cipher which is used.

Configure the following cipher suite, which can then be used for SSL communication in CARBON_HOME/repository/conf/tomcat/catalina-server.xml. This cipher parameter must be configured inside the TLS connector element.

ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"

To achieve “Perfect Forward Secrecy,” we usually need DHE; therefore, removing the DHE ciphers is not a good option.

2.  Use a 1024-bit (or larger) Diffie-Hellman group for the DHE_RSA SSL cipher suites.

You need to use JAVA 8.0 for this. The following parameter in JAVA 8.0 can be used to customize the key size to some larger value.

-Djdk.tls.ephemeralDHKeySize=2048

JAVA 7.0 does not support 1024-bit key size and you can not have the above parameter to configure a larger key size (in latest public releases of JAVA 7.0)

Currently, WSO2 products can not be run using JAVA 8.0; but, future releases of WSO2 will be able to run using JAVA 8.0, and you can then use the DHE ciphers with a larger key size.

3.  Enable ECDHE
We can enable only the ECDHE cipher in WSO2 servers without using the DHE ciphers. Then, we are safe from both “Weak Cipher”and “Perfect Forward Secrecy” attacks.

So, you can add the following cipher suite which can be used for SSL communication in the CARBON_HOME/repository/conf/tomcat/catalina-server.xml. This cipher's parameter must be configured inside the TLS connector element.

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"


Discover how the Watson team is further developing SDKs in Java, Node.js, Python, iOS, and Android to access these services and make programming easy. Brought to you in partnership with IBM.

Topics:
java ,java 8 ,java 7 ,ssl ,authorization

Published at DZone with permission of Asela Pathberiya, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}