Java JVM Hotspot ephemeralDHKeySize

Question

I am trying to increase the DH key size from 1024 bits to 2048 bits, as per this question: How to expand DH key size to 2048 in java 8 .

However, it does not seem to work. Relevant information:

java -version
java version "1.8.0_45" 
Java(TM) SE Runtime Environment (build 1.8.0_45-b14) 
Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode)

And

System.out.println(Security.getProperty("jdk.tls.ephemeralDHKeySize"));
2048

However, if I connect to that server from a client, it uses 1024-bit:

openssl s_client -connect server:port -cipher "EDH" 2>/dev/null | grep -ie "Server .* key"
Server Temp Key: DH, 1024 bits

Any idea what else I can do?

Answer 1

I'm concerned that you're calling Security.getProperty("jdk.tls.ephemeralDHKeySize") to check the DH key size. The jdk.tls.ephemeralDHKeySize property is not a Security property, it's a System property, which leads me to suspect that you're not setting it properly. If you're setting it like this:

Security.setProperty("jdk.tls.ephemeralDHKeySize", "2048"); // don't do this

then that's not going to work. Try either passing:

-Djdk.tls.ephemeralDHKeySize=2048

in the command-line of your program, or set it like this:

System.setProperty("jdk.tls.ephemeralDHKeySize", "2048");

in code.