5

Good day,

I have a WAS liberty server in Linux Redhat, and I enable the only TLSv1.2.

I type the following command to get the server info:

openssl s_client -connect 10.7.5.65:9443 -msg

Part of the result is as follow:

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1710 bytes and written 479 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported

I saw the Server Temp Key value is DH, 1024 bits, but also saw the Server public key is 2048 bit, may I know my Diffie-Hellman MODP size (bits) is actually 1024 or 2048?

And also the part of the ServerKeyExchange

<<< TLS 1.2 Handshake [length 020f], ServerKeyExchange
    0c 00 02 0b 00 80 ff ff ff ff ff ff ff ff c9 0f

00 80 convert to decimal is 128, so its means my Diffie-Hellman MODP size (bits) is 1024 bits?

And if its 1024 bits, how can I increase it to 2048 bits?

I am using Java 8 OpenJDK in this server.

Kindly advise.

Yuri
  • 4,254
  • 1
  • 29
  • 46
Panadol Chong
  • 1,793
  • 13
  • 54
  • 119

1 Answers1

2

In this case, it looks like it is 1024 bit for your dhparams. You can generate a new dhparams with openssl:

openssl dhparam -out dhparam.pem 2048

Then configure your server that is using the dhparams to use the new file, and restart. We did this a long time ago with nginx and apache. There is generally a dhparam file that is used for the system centrally located in /etc for RHEL/CentOS. Replacing that should be sufficient, but if you are using a non-centrally located file, you'll need to modify your configuration accordingly.