From 44017711e279b0b5b67eb1cdbfe7baa8c2c123aa Mon Sep 17 00:00:00 2001 From: jaymode Date: Thu, 28 May 2015 10:42:59 -0400 Subject: [PATCH] remove DHE cipher from default list This commit removes the DHE cipher from our list of enabled ciphers due to the recently published Logjam attack. The default configuration is not susceptible to the Logjam attack, but since we support Java 7 the maximum prime size (768 bit) is considered too weak. Java 8 supports 1024 bit primes, but these are also not ideal and this cipher should not be used with a prime smaller than 2048 bits. Closes elastic/elasticsearch#862 Original commit: elastic/x-pack-elasticsearch@9785bf47cfada9ef7bfeec2501054597f9cf5c9e --- .../java/org/elasticsearch/shield/ssl/AbstractSSLService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/elasticsearch/shield/ssl/AbstractSSLService.java b/src/main/java/org/elasticsearch/shield/ssl/AbstractSSLService.java index df7fb58ba25..702e96024f7 100644 --- a/src/main/java/org/elasticsearch/shield/ssl/AbstractSSLService.java +++ b/src/main/java/org/elasticsearch/shield/ssl/AbstractSSLService.java @@ -39,7 +39,7 @@ public abstract class AbstractSSLService extends AbstractComponent { public static final String[] DEFAULT_SUPPORTED_PROTOCOLS = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" }; - static final String[] DEFAULT_CIPHERS = new String[] { "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" }; + static final String[] DEFAULT_CIPHERS = new String[] { "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" }; static final TimeValue DEFAULT_SESSION_CACHE_TIMEOUT = TimeValue.timeValueHours(24); static final int DEFAULT_SESSION_CACHE_SIZE = 1000; static final String DEFAULT_PROTOCOL = "TLS";