Weak default Tomcat DH Ciphers - what is missing in article 41101.

Blog Post created by LumHonPeng on Mar 1, 2016



I read article 41101 following a bulletin but realise that it did not address the main issue related to the weak default DH ciphers / Diffie-Hellman key.

Basically the problems with Blackboard 9.1 Oct 14 and 9.1 Q4 15 boils down to:

a) Java 7 is the certified JDK for these 2 version

b) Java 7 uses 768-bit for DH by default

c) Java 7 has limited strength policy so AES is maxed out at 128 bits


The following articles I found online (especially the first) helped me a lot in understanding why my security team was harping on this when the cipher list in article 41639 & 40766 has AES256, DH, DHE ciphers. The articles pointed out that I needed to have:

1) “-Djdk.tls.ephemeralDHKeySize=2048” under bbconfig.jvm.options.extra.tomcat”

2) Apply JCE unlimited strength policy so that I could use AES256 cipher and that security team will not complain about the DH cipher being weak.




Hope this helps someone here.