customize DH-params in openSSL
67 views
Skip to first unread message
Mert Zararsiz
Jun 14, 2016, 11:57:26 PM6/14/16
to vert.x
Hello Vertx group,
I was wondering if it is possible to set a minimal DH-param size in OpenSSLEngineOptions or anywhere else.
The reasoning for this is that Vertx performs a default key exchange with a size of 1024 bits which is considered weak according to SSLlabs.
The key size could be customized on the normal JdkSSLEngine by changing the jdk.tls.ephemeralDHKeySize JVM property to the desired key size.
I've searched around for a solution and saw that tomcat-native seems to use SSLContext.setTmpDH(long serverContext, String filePath) to provide custom DH-params.
Calling this method does not work on Vertx (using netty-tcnative-boringssl-static) resulting in the following error message:
Exception in thread "main" java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.SSLContext.setTmpDH(JLjava/lang/String;)V
at org.apache.tomcat.jni.SSLContext.setTmpDH(Native Method)
at Initializer.main(Initializer.java:30)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)Would there be a way to solve this issue?
Julien Viet
Jun 15, 2016, 2:16:49 AM6/15/16
to ve...@googlegroups.com
Hi,
it seems rather a Netty question.
Could you ask this question on Netty's mailing list, they are usually quite responsive there ?
--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/vertx.
To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/a043a312-70f7-48c7-b677-d034623eab05%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Julien Viet
Jun 15, 2016, 1:52:46 PM6/15/16
to ve...@googlegroups.com
looks like you got an answer on Netty’s list :-)
Mert Zararsiz
Jun 16, 2016, 4:12:38 AM6/16/16
to vert.x
Yep!
Op woensdag 15 juni 2016 19:52:46 UTC+2 schreef Julien Viet:
There is a Netty issue post on Github for those who wonder:
Op woensdag 15 juni 2016 19:52:46 UTC+2 schreef Julien Viet:
Reply all
Reply to author
Forward
0 new messages