Is it good to disable DH keypair?

Multi tool use
Multi tool use












1















I had the following exception when running a java code 'Could not generate DH keypair' (I use TLSv1.2).



I transformed the prime size from 1024 to 2048 but I always get the same error.



Then I disabled DH, and it worked perfectly.



But, is it good to disable DH? does it effect security? And when can we disable it?










share|improve this question

























  • You need to provide more details, such as the class and function you were using, and which options you used then and now. Generally DH stands for the diffie hellman key exchange, which provides perfect forward secrecy. It typically negatively affects the security of your application to disable it, but whether it actually does or not depends on your threat model

    – midor
    Jan 3 at 9:17













  • Please provide full stack traces and any info / changes on your runtime configuration.

    – Maarten Bodewes
    Jan 3 at 12:15
















1















I had the following exception when running a java code 'Could not generate DH keypair' (I use TLSv1.2).



I transformed the prime size from 1024 to 2048 but I always get the same error.



Then I disabled DH, and it worked perfectly.



But, is it good to disable DH? does it effect security? And when can we disable it?










share|improve this question

























  • You need to provide more details, such as the class and function you were using, and which options you used then and now. Generally DH stands for the diffie hellman key exchange, which provides perfect forward secrecy. It typically negatively affects the security of your application to disable it, but whether it actually does or not depends on your threat model

    – midor
    Jan 3 at 9:17













  • Please provide full stack traces and any info / changes on your runtime configuration.

    – Maarten Bodewes
    Jan 3 at 12:15














1












1








1








I had the following exception when running a java code 'Could not generate DH keypair' (I use TLSv1.2).



I transformed the prime size from 1024 to 2048 but I always get the same error.



Then I disabled DH, and it worked perfectly.



But, is it good to disable DH? does it effect security? And when can we disable it?










share|improve this question
















I had the following exception when running a java code 'Could not generate DH keypair' (I use TLSv1.2).



I transformed the prime size from 1024 to 2048 but I always get the same error.



Then I disabled DH, and it worked perfectly.



But, is it good to disable DH? does it effect security? And when can we disable it?







java cryptography tls1.2 diffie-hellman






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 3 at 9:18









Maths RkBala

1,90411217




1,90411217










asked Jan 3 at 9:14









miss mimimiss mimi

153




153













  • You need to provide more details, such as the class and function you were using, and which options you used then and now. Generally DH stands for the diffie hellman key exchange, which provides perfect forward secrecy. It typically negatively affects the security of your application to disable it, but whether it actually does or not depends on your threat model

    – midor
    Jan 3 at 9:17













  • Please provide full stack traces and any info / changes on your runtime configuration.

    – Maarten Bodewes
    Jan 3 at 12:15



















  • You need to provide more details, such as the class and function you were using, and which options you used then and now. Generally DH stands for the diffie hellman key exchange, which provides perfect forward secrecy. It typically negatively affects the security of your application to disable it, but whether it actually does or not depends on your threat model

    – midor
    Jan 3 at 9:17













  • Please provide full stack traces and any info / changes on your runtime configuration.

    – Maarten Bodewes
    Jan 3 at 12:15

















You need to provide more details, such as the class and function you were using, and which options you used then and now. Generally DH stands for the diffie hellman key exchange, which provides perfect forward secrecy. It typically negatively affects the security of your application to disable it, but whether it actually does or not depends on your threat model

– midor
Jan 3 at 9:17







You need to provide more details, such as the class and function you were using, and which options you used then and now. Generally DH stands for the diffie hellman key exchange, which provides perfect forward secrecy. It typically negatively affects the security of your application to disable it, but whether it actually does or not depends on your threat model

– midor
Jan 3 at 9:17















Please provide full stack traces and any info / changes on your runtime configuration.

– Maarten Bodewes
Jan 3 at 12:15





Please provide full stack traces and any info / changes on your runtime configuration.

– Maarten Bodewes
Jan 3 at 12:15












1 Answer
1






active

oldest

votes


















0















But, is it good to disable DH?




That depends on the situation. Generally ECDH (Diffie Hellman using elliptic curves instead of finite groups) is still available. Although that is slightly more vulnerable to quantum cryptanalysis, it generally increases security levels.




does it effect security?




See above. You'd lose forward security if you have to rely on RSA_ modes.




And when can we disable it?




See above. Generally I'd disable it and make sure that ECDHE_ ciphersuites are available.





I'd be worried though if I didn't know why it would not be able to run. This could point to a badly configured software configuration.






share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54019260%2fis-it-good-to-disable-dh-keypair%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0















    But, is it good to disable DH?




    That depends on the situation. Generally ECDH (Diffie Hellman using elliptic curves instead of finite groups) is still available. Although that is slightly more vulnerable to quantum cryptanalysis, it generally increases security levels.




    does it effect security?




    See above. You'd lose forward security if you have to rely on RSA_ modes.




    And when can we disable it?




    See above. Generally I'd disable it and make sure that ECDHE_ ciphersuites are available.





    I'd be worried though if I didn't know why it would not be able to run. This could point to a badly configured software configuration.






    share|improve this answer




























      0















      But, is it good to disable DH?




      That depends on the situation. Generally ECDH (Diffie Hellman using elliptic curves instead of finite groups) is still available. Although that is slightly more vulnerable to quantum cryptanalysis, it generally increases security levels.




      does it effect security?




      See above. You'd lose forward security if you have to rely on RSA_ modes.




      And when can we disable it?




      See above. Generally I'd disable it and make sure that ECDHE_ ciphersuites are available.





      I'd be worried though if I didn't know why it would not be able to run. This could point to a badly configured software configuration.






      share|improve this answer


























        0












        0








        0








        But, is it good to disable DH?




        That depends on the situation. Generally ECDH (Diffie Hellman using elliptic curves instead of finite groups) is still available. Although that is slightly more vulnerable to quantum cryptanalysis, it generally increases security levels.




        does it effect security?




        See above. You'd lose forward security if you have to rely on RSA_ modes.




        And when can we disable it?




        See above. Generally I'd disable it and make sure that ECDHE_ ciphersuites are available.





        I'd be worried though if I didn't know why it would not be able to run. This could point to a badly configured software configuration.






        share|improve this answer














        But, is it good to disable DH?




        That depends on the situation. Generally ECDH (Diffie Hellman using elliptic curves instead of finite groups) is still available. Although that is slightly more vulnerable to quantum cryptanalysis, it generally increases security levels.




        does it effect security?




        See above. You'd lose forward security if you have to rely on RSA_ modes.




        And when can we disable it?




        See above. Generally I'd disable it and make sure that ECDHE_ ciphersuites are available.





        I'd be worried though if I didn't know why it would not be able to run. This could point to a badly configured software configuration.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 3 at 12:14









        Maarten BodewesMaarten Bodewes

        63.2k1183176




        63.2k1183176
































            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54019260%2fis-it-good-to-disable-dh-keypair%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            TSECm8F1cH aTg9RO5JXY5A58GAaT5PXEoZ,lQU 4P ano8FpJIXYJmT,HtvozJkX0
            OQ eYFEn,NTYjvftlO06330fFPi5PGRH8sebo4RHw,vJrbRAeOsQD C5bKnkh,fjkN

            Popular posts from this blog

            Monofisismo

            Angular Downloading a file using contenturl with Basic Authentication

            Olmecas