1

I have migrated a service from JDK8 to JDK17. Now, whenever client connects to server, server offers X448 elliptical curve. I want to disable it.

PFS is offered (OK)          ECDHE-RSA-AES128-GCM-SHA256
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 X448

Above output is from testssl tool, which is testing SSL.

I have tried setting JVMargs as-

System.setProperty("jdk.tls.namedGroups","prime256v1");
System.setProperty("jdk.disabled.namedGroups","X448");

But the above thing is not working with JDK17. Can someone help me in how to disable X448 Elliptical curve in JDK17?

RHYTHM VARSHNEY
  • 11
  • 1

1 Answers1

2

There are no system properties with the names you show, or similar. (Also, technically, system properties set in code are not 'JVM arg[ument]s', although they can have the same effect.)

In Java 8u271 up, 11.0.9 up, and 14 up, when using the 'standard' (upstream-distributed) java.security file, there is a security property jdk.disabled.namedCurves (not Groups) that is 'included' into three other security properties jdk.{certpath,jar,tls}.disabledAlgorithms with the effect of disabling for those purposes curves that are now unsafe, unportable, or otherwise unrecommended.

Your code could add , X448 to jdk.disabled.namedCurves and have it automatically apply to the three other cases; certpath could never use X448 anyway since it doesn't support signing, and I'm pretty sure jar also wouldn't, so this would most likely affect only TLS. Or you could add it directly to jdk.tls.disabledAlgorithms and be certain it affects only TLS. In either case you should add it to, not replace, the existing value, because all four of these properties already contain numerous curves or algorithms, respectively, that need to be disabled to prevent various problems or risks.

And in either case you must do it very near the beginning of execution of your JVM, specifically before the first reference by any class to sun.security.util.DisabledAlgorithmConstraints (directly or indirectly). I'm not sure even the beginning of your main method is early enough, although you can try it. Putting it in the configuration file (before the JVM even starts) is safe; for this you can either modify the file JDKORJRE/conf/security/java.security in j9 up or JRE/lib/security/java.security in j8 down, which affects all JVMs using that JRE, or by creating a modified or patch file and using system property java.security.properties on a specific JVM as described in the comments in the standard file; this needs to be in effect during JVM startup and thus the -D argument is the only way to achieve it.

Which sadly makes this not a programming question and I'm not sure it counts as development, so it may be off-topic here.

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • 1
    Configuring the VM is certainly about programming if you ask me. And no, you cannot just set properties in `main` or something similar and expect that to work, -D is indeed the way. – Maarten Bodewes Mar 24 '23 at 16:31