From owner-freebsd-ports@FreeBSD.ORG  Thu May 21 14:32:15 2015
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1FADE490;
 Thu, 21 May 2015 14:32:15 +0000 (UTC)
Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com
 [IPv6:2607:f8b0:4003:c01::22e])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id D7020156D;
 Thu, 21 May 2015 14:32:14 +0000 (UTC)
Received: by obblk2 with SMTP id lk2so61756393obb.0;
 Thu, 21 May 2015 07:32:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:from:date:message-id
 :subject:to:cc:content-type;
 bh=oB5/pPP8FjBW6po5eiaHElZ1ohIO5Hp4bQO/Kx/JUdU=;
 b=EtkBdLiMogTOeaplbKg6AOKX0a7XgQAZ6EZJmKonQ+bla0QO9xECemmrSNb19Wn1cF
 kVuUoZT9BLy6H1Tk2Z996Ki4bSVH5aYBfG4HLXNSjSyjoYRM0T7guomINbJwHj3nXIB7
 5MN7pGx/KwqnJR6jFime7LqrgRrmXBATxsRXTsdfRXKYOpnxTegGxd7c+Z/j8Pm5npG6
 GRdBIlaorMeuIDIOBT6MyAKEcdf4PGrFK12c5W2qLudXsRUV4xNCSXVKvHs3TaFFssCM
 SmF+Dokhq0q+MiV/3Cz8WkSMprn/o/qqAeJQPFrGlpSHTZhOpUZODTat0VT67pEP5KpA
 pQ6A==
X-Received: by 10.202.179.9 with SMTP id c9mr2431150oif.24.1432218733928; Thu,
 21 May 2015 07:32:13 -0700 (PDT)
MIME-Version: 1.0
Sender: royce.williams@gmail.com
Received: by 10.202.132.78 with HTTP; Thu, 21 May 2015 07:31:52 -0700 (PDT)
In-Reply-To: <1432218119.630206.274805281.0C31484D@webmail.messagingengine.com>
References: <201505202140.t4KLekE6081029@fire.js.berklix.net>
 <555D0F37.8040605@delphij.net>
 <1432218119.630206.274805281.0C31484D@webmail.messagingengine.com>
From: Royce Williams <royce@tycho.org>
Date: Thu, 21 May 2015 06:31:52 -0800
X-Google-Sender-Auth: SLEEv6nDYGSXLTNtOMO7bxS4cJc
Message-ID: <CA+E3k91Vc3VOj2+8y-0sTqzYc=FX1+m0RU_rDQDMuPvVuK-0mA@mail.gmail.com>
Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect
 us? ?
To: Mark Felder <feld@freebsd.org>
Cc: FreeBSD Mailing List <freebsd-ports@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 14:32:15 -0000

On Thu, May 21, 2015 at 6:21 AM, Mark Felder <feld@freebsd.org> wrote:

>
>
> On Wed, May 20, 2015, at 17:48, Xin Li wrote:
> ]>
> > Well, currently OpenSSL do accept weak DH so _arguably_ it does affect
> > FreeBSD, and it's likely to break existing applications if we enforce
> > such restrictions (namely, Java 6).
> >
>
> AFAIK, Java doesn't support >1024 DH key until Java 8.


According to the simulated handshakes in the Qualys SSL Labs test results,
Java 7 is OK with DH at 2048.

Royce