Hi, If you haven't already figured this out, I believe you need to set this as a Java option at CAS startup (-Djdk.tls.ephemeralDHKeySize=2048). We use external Tomcat and have something like this in our systemd unit file, but it should work just as well if you are using just the CAS WAR:
Environment='JAVA_OPTS=-Djdk.tls.ephemeralDHKeySize=2048' Jonathon On Fri, Feb 5, 2021 at 8:59 AM Hervé Guillemet <[email protected]> wrote: > I'm running a CAS 6 server with embedded Jetty and ssl checkers tell me > that my DH parameter's size is only 1024. I haven't found any way to change > it to 2048. > my server.ssl configuration group looks like : > > protocol: TLS > enabled-protocol: TLSv1.2 TLSv1.3 > ciphers: > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > Any idea ? > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b9917e9-3382-4fad-89e4-112e797ebae9n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b9917e9-3382-4fad-89e4-112e797ebae9n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo9e2Bfe8zPv4dOTUDw6%3DAEKFT676ekix2%3DWyiC_Jvvj-w%40mail.gmail.com.
