After disabling the lower-level SSL and TLS protocols, and only using TLSv1.2 for our DevTest components, we are still failing our internal security scan. The Security team is now flagging the system with the following statement:

“The increase in vulnerability is due to the weak key size for TLS1.2, and the minimum size needs to be 112 keys.”

All supported DevTest releases and platforms.

The Cipher keys are determined by the Java Runtime environment.

 For 10.7.2 with/without HotFix and Service Packs , the easiest way to solve this issue is to modify the DEVTEST_HOME\jre\lib\security\java.security file and change the DH keySize in jdk.tls.disabledAlgorithms to force all Ciphers to use 2048 bit keys.  By default, the DH KeySize is < 1024.

Change:

jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

To

jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DHE

You will need to make this change on all DevTest servicer. You will need to bounce the DevTest services before the change will be in effect.

For 10.8 and up, modify the DEVTEST_HOME\jre\conf\security\java.security file and do the above changes. 

If you are working with a high performance, the TLS_DHE ciphers have a tendency to run slower. Therefore, you may want to manually disable them by adding them specifically to the jdk.tls.disabledAlgorithms. You can run the attached 'Supported_Java_Cipherers_v2.mar' (DevTest Test) to see what Supported Ciphers available for the JVM and then modify the java.security file to specifically not use the TLS_DHE_... Ciphers.  Note: This test uses the JRE from the DevTest Workstation machine where the test was executed. 

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA, \
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, \
    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, \
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA, \
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, \
    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, \
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

For more information on configuring the jdk.tls.disabledAlgorithms, see Additional information on Oracle's JDK and JRE Cryptographic Algorithms