04-11-2016 01:25 AM - edited 03-17-2019 06:01 PM
Hi,
the latest Expressway requires Diffie-Hellman keys to be at least 1024 bits in size.
Unfortunately Jabber Guest still uses 768bits as the "Server Temp Key" on tomcat. Therefore you can't use Jabber Guest (doesn't matter which version; I tried 10.6.9 and 10.6.10) with Expressway 8.7.2.
I also checked the settings of Tomcat and there is the appropriate setting in /opt/cisco/jabber/conf/mss-sip-stack-properties (which I assume that it is the relevant file):
# support 2048 bits for Ephemeral Diffie-Hellman Keys
jdk.tls.ephemeralDHKeySize=2048
Unfortunately this doesn't work or at least the results are not as expected.
Trying to connect with openssl (openssl s_client -connect <JabberGuestServer>:5061) shows:
-- snip --
Client Certificate Types: RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1:RSA+MD5
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: DH, 768 bits
---
SSL handshake has read 3205 bytes and written 210 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
-- snip --
Expressway show "dh key too small" in the log-file and "TLS negotiation failure" the when checking the zone status.
It works perfectly with Expressway 8.6.1 (haven't tried 8.7.1 so far).
Log-Files / dumps / Screen-shots are available upon request, but I think the problem is quite clear and hopefully it will be easy to solve.
Thanks and best regards
Wolfgang
Solved! Go to Solution.