Add -Djdk.tls.ephemeralDHKeySize=matched and/or Djsse.SSLEngine.acceptLargeFragments=true to startup parameters

Description

xmpp.org went offline recently and came back online with the DH key size set to 2048. This caused federation with XMPP servers using a size of 1024 to fail.

In the cases for Java based XMPP servers like Openfire (which use a default value of 1024 inherited from the JVM), the error message being recieved from xmpp.org was "handshake_failure" instead of "dh key size too small" and that made debugging difficult.

Adding the following parameters at startup fixed the issue

-Djdk.tls.ephemeralDHKeySize=matched

-Djsse.SSLEngine.acceptLargeFragments=true

The purpose of this issue is to see if we can add at least one of those options to our startup scripts.

Environment

None
Fixed

Assignee

Guus der Kinderen

Reporter

Dele Olajide