Diffie-Hellman : Java Glossary



In SSL (Secure Sockets Layer) (https:) secure communications, the two ends must decide on a shared secret key without having arranged one in advance. The original method for doing that was called Diffie-Hellman. Alternatives include:


By default, Java no longer supports Diffie-Hellman. This means SSL will fail on sites that don’t support some alternative that Java supports. In theory, you can patch Java to make it work. I have not had success. The way I deal with it is to use Excelsior Jet which uses its own SSL implementation that supports Diffie-Hellmen. To enable it, you can make various patches:

java.security :

file by changing the jdk.tls.disabledAlgorithms property.

# Insert this code into java.security to turn Diffie Hellman back on

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

jdk.tls.disabledAlgorithms=SSLv3, RC4

jdk.tls.legacyAlgorithms= \
        K_NULL, C_NULL, M_NULL, \
        RSA_EXPORT, \
        RC4_128, RC4_40, DES_CBC, DES40_CBC

You can also adjust:

// increase limit of Diffie-Hellman key size to 1024 or 2048
System.setProperty( "jdk.tls.ephemeralDHKeySize", "2048" );

or similar.

Java 1.8 now supports Diffie-Hellman 2048-bit MODP, when enabled. It used to support only 512 through 1024 bit.

Diffie-Helman will fail when the remote site demands a key bigger than 2048 bits. In that case, you can compile with Jet which supports larger keys, or use BouncyCastle.

Diffie-Hellman also uses SHA digests which are usually 128, 256 or 384 bits long.

This page is posted
on the web at:


Optional Replicator mirror
of mindprod.com
on local hard disk J:

Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number