Security issues regarding key exchange algorithms

Document ID : KB000098086
Last Modified Date : 01/06/2018
Show Technical Document Details
Question:
I want to exclude specific elliptic curves from the key-exchange algorithms of the cipher suites.
I know, that you can exclude a complete cipher suite, but I only want to exclude some elliptic curves, that are deemed as unsafe
 
Answer:
To exclude a complete cipher suite you would use the steps as explained here

To just exclude some elliptic curves, you will need to modify the java.security file, that is driving the selection and availability of the ciphers and algorithms:

Please have a check on the java.security file at /opt/SecureSpan/JDK/jre/lib/security/
Via this you can disable certain Algorithms.

The line stating
jdk.tls.disabledAlgorithms
should be changed to
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC, RC4_40

This should cut out the unreliable algorithms. Please note, that we have made changes in later CR and in 9.3 to already improve and exclude some/all of those algorithms.