Layer7 API Management

  • Private Community
 View Only

  • 1.  Java 8 Update 161 now restricts Diffie-Hellman keys

    Posted May 02, 2019 09:33 AM

    Hi,

     

    In version 9.3 CR1 the JDK version has been updated to JDK 1.8.0 Update 162.
    This version restricts Diffie-Hellman keys that are less than 1024 bits

     

    Our gateways has been recently upgraded to version 9.4 and when I replaced an existing private key with the new one, I got an error when I tried to disable/enable the listen port. 

     

    The listen port had the following 2 DH ciphers:
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

     

    After disabling this two ciphers I was able to restart the listen port.

     

    The strange thing is that the listen ports with unchanged private keys does not show this behavior while they also have the two DH ciphers.

     

    Can you first of all confirm that the restriction in the new version of the JDK has an effects on the choice of the ciphers and causes the error?
    And if so, why does this not effect the unchanged listen ports/private keys?

     

    Regards,

    Hakim



  • 2.  Re: Java 8 Update 161 now restricts Diffie-Hellman keys

    Broadcom Employee
    Posted May 06, 2019 10:36 AM

    Hi Hakim 

     

    It is the policymanager which checks the settings when you save the listen port settings .

     

    Regards 

    Dirk 



  • 3.  Re: Java 8 Update 161 now restricts Diffie-Hellman keys

    Posted May 09, 2019 03:46 AM

    Hi Dirk,

     

    How does the policymanager checks the weak ciphers?

     

    Regards,

    Hakim