Diffie-Hellman parameter's size

[Hervé Guillemet]

I'm running a CAS 6 server with embedded Jetty and ssl checkers tell me that my DH parameter's size is only 1024. I haven't found any way to change it to 2048. 

my server.ssl configuration group looks like :

  protocol: TLS

  enabled-protocol: TLSv1.2 TLSv1.3

  ciphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Any idea ?

[Jonathon Taylor]

Hi,

If you haven't already figured this out, I believe you need to set this as a Java option at CAS startup (-Djdk.tls.ephemeralDHKeySize=2048).  We use external Tomcat and have something like this in our systemd unit file, but it should work just as well if you are using just the CAS WAR:

Environment='JAVA_OPTS=-Djdk.tls.ephemeralDHKeySize=2048'

Jonathon

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b9917e9-3382-4fad-89e4-112e797ebae9n%40apereo.org.