diff options
| author | Glenn Matthys <glenn@webmind.be> | 2016-01-17 23:15:38 +0100 |
|---|---|---|
| committer | Glenn Matthys <glenn@webmind.be> | 2016-01-17 23:15:38 +0100 |
| commit | 7e5107ef3e2bb0d7c31d3050fb8ba6cc1601ef1a (patch) | |
| tree | 54db0aada93b88f913f0b91fa09987a2fb47edab | |
| parent | 1607b9f90face68eecd5df3e8e7677ba1f22e1e7 (diff) | |
| download | gitblit-7e5107ef3e2bb0d7c31d3050fb8ba6cc1601ef1a.tar.gz gitblit-7e5107ef3e2bb0d7c31d3050fb8ba6cc1601ef1a.zip | |
Describe how DH key bitlength can be influenced
| -rw-r--r-- | src/site/setup_transport_http.mkd | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/site/setup_transport_http.mkd b/src/site/setup_transport_http.mkd index fd611d43..5329a188 100644 --- a/src/site/setup_transport_http.mkd +++ b/src/site/setup_transport_http.mkd @@ -17,6 +17,16 @@ Value = <em>false</em></pre> - **Command-line Git** ([Git-Config Manual Page](http://www.kernel.org/pub/software/scm/git/docs/git-config.html))
<pre>git config --global --bool --add http.sslVerify false</pre>
+**NOTE:**
+When generating self-signed certificates, the default Java TLS settings will be used. These default settings will generate a weak Diffie-Hellman key.
+#### Java 8
+The default is a 1024 bit DH key.
+You can up the number of bits used by appending the following command line parameter when starting Gitblit:
+<pre>-Djdk.tls.ephemeralDHKeySize=2048</pre>
+2048 bits is the maximum (Java limitation), and is still considered secure as of this writing.
+#### Java 7
+The default is a 768 bit key. <b>This is hardcoded in Java 7 and cannot be changed.</b>. It is very weak. If you require longer DH keys, use Java 8.
+
### Http Post Buffer Size
You may find the default post buffer of your git client is too small to push large deltas to Gitblit. Sometimes this can be observed on your client as *hanging* during a push. Other times it can be observed by git erroring out with a message like: error: RPC failed; result=52, HTTP code = 0.
|