Add -Djdk.tls.ephemeralDHKeySize=matched and/or Djsse.SSLEngine.acceptLargeFragments=true to startup parameters

Description

xmpp.org went offline recently and came back online with the DH key size set to 2048. This caused federation with XMPP servers using a size of 1024 to fail.

In the cases for Java based XMPP servers like Openfire (which use a default value of 1024 inherited from the JVM), the error message being recieved from xmpp.org was "handshake_failure" instead of "dh key size too small" and that made debugging difficult.

Adding the following parameters at startup fixed the issue

-Djdk.tls.ephemeralDHKeySize=matched

-Djsse.SSLEngine.acceptLargeFragments=true

The purpose of this issue is to see if we can add at least one of those options to our startup scripts.

Environment

None

Activity

Show:
Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Priority

Created April 4, 2020 at 3:04 PM
Updated June 4, 2020 at 6:15 PM
Resolved June 4, 2020 at 6:15 PM