intermediate dhe to 2048, note about java

1 files changed, 26 insertions, 3 deletions

diff --git a/Server_Side_TLS.mediawiki b/Server_Side_TLS.mediawiki
index 817ce48..8a4d37f 100644
--- a/Server_Side_TLS.mediawiki
+++ b/Server_Side_TLS.mediawiki
@@ -10,6 +10,7 @@ The Operations Security (OpSec) team maintains this document as a reference guid
 ! Document Status !! Major Versions
 |- 
 |  <span style="color:green;">'''READY'''</span> ||
+* Version 3.6: ulfr: bump intermediate DHE to 2048, add note about java compatibility
 * Version 3.5: alm: comment on weakdh vulnerability
 * Version 3.4: ulfr: added note about session resumption, HSTS and HPKP
 * Version 3.3: ulfr: fix SHA256 prio, add POODLE details, update various templates
@@ -34,9 +35,9 @@ The Operations Security (OpSec) team maintains this document as a reference guid
 </td>
 </tr></table>
 
-Updates to this page should be submitted to the [[https://github.com/mozilla/server-side-tls source repository on github]].
+Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls source repository on github].
 
-If you are looking for the configuration generator, follow this link: [[https://mozilla.github.io/server-side-tls/ssl-config-generator/ https://mozilla.github.io/server-side-tls/ssl-config-generator/]].
+If you are looking for the configuration generator, follow this link: [https://mozilla.github.io/server-side-tls/ssl-config-generator/ https://mozilla.github.io/server-side-tls/ssl-config-generator/].
 
 = Recommended configurations =
 Three configurations are recommended. Pick the right configuration depending on your audience. If you do not need backward compatibility, and are building a service for modern clients only (post FF27), then use the Modern configuration. Otherwise, prefer the Intermediate configuration. Use the Old backward compatible configuration only if your service will be accessed by very old clients, such as Windows XP IE6, or ancient libraries & bots.
@@ -73,7 +74,7 @@ For services that don't need compatibility with legacy clients (mostly WinXP), b
 * Ciphersuite: '''ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'''
 * Versions: '''TLSv1, TLSv1.1, TLSv1.2'''
 * RSA key size: '''2048'''
-* DH Parameter size: '''1024''' (prefer 2048 if java support is not needed)
+* DH Parameter size: '''2048''' (see [[Security/Server_Side_TLS#DHE_and_Java|DHE and Java]] for details)
 * Elliptic curves: '''secp256r1, secp384r1, secp521r1''' (at a minimum)
 * Certificate signature: '''SHA-256'''
 
@@ -198,6 +199,28 @@ MBYCEQCHU6UNZoHMF6bPtj21Hn/bAgEC.....
 -----END DH PARAMETERS-----
 </source>
 
+
+== DHE and Java ==
+Java 6 and 7 do not support Diffie-Hellman parameters larger than 1024 bits. If your server expects to receive connections from java 6 clients and wants to enable PFS, it must provide a DHE parameter of 1024 bits.
+
+The case of Java 7 is a bit different. Java 7 supports ECDHE ciphers, so if the server provides ECDHE and prioritizes it before DHE ciphers using server side ordering, then Java 7 will use ECDHE and not care about the size of the DHE parameter. In this situation, the server can use 2048 bits DHE parameters for all other clients.
+
+However, if the server does not support ECDHE, then Java 7 will use DHE and fail if the parameter is larger than 1024 bits. When failing, the handshake will not attempt to fall back to the next cipher in line, but simply fail with the error "java.lang.RuntimeException: Could not generate DH keypair".
+
+{| class="wikitable"
+|-
+! Java supported !! ECDHE prioritized !! smallest DH parameter size
+|- 
+|  6 || irrelevant || 1024
+|- 
+|  7 || NO || 1024
+|- 
+|  7 || YES || 2048
+|- 
+|  8 || irrelevant || 2048
+|}
+
+
 = OCSP Stapling =
 When connecting to a server, clients should verify the validity of the server certificate using either a Certificate Revocation List (CRL), or an Online Certificate Status Protocol (OCSP) record. The problem with CRL is that the lists have grown huge and takes forever to download.