LumHonPeng

Weak default Tomcat DH Ciphers - what is missing in article 41101.

Blog Post created by LumHonPeng on Mar 1, 2016

Hi,

 

I read article 41101 following a bulletin but realise that it did not address the main issue related to the weak default DH ciphers / Diffie-Hellman key.

Basically the problems with Blackboard 9.1 Oct 14 and 9.1 Q4 15 boils down to:

a) Java 7 is the certified JDK for these 2 version

b) Java 7 uses 768-bit for DH by default

c) Java 7 has limited strength policy so AES is maxed out at 128 bits

 

The following articles I found online (especially the first) helped me a lot in understanding why my security team was harping on this when the cipher list in article 41639 & 40766 has AES256, DH, DHE ciphers. The articles pointed out that I needed to have:

1) “-Djdk.tls.ephemeralDHKeySize=2048” under bbconfig.jvm.options.extra.tomcat”

2) Apply JCE unlimited strength policy so that I could use AES256 cipher and that security team will not complain about the DH cipher being weak.

 

Reference:

https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat/

http://suhothayan.blogspot.sg/2012/05/how-to-install-java-cryptography.html

 

Hope this helps someone here.

 

Regards,

Lum

Outcomes