Why won't Java6 connect to Monetra anymore? It used to work.

As of Monetra 7 update 14.3, Monetra enabled TLS Forward Secrecy for incoming connections to enhance security. That means ciphers which use DHE or ECDHE for negotiation are now supported. As part of enabling Forward Secrecy, Monetra now uses DH parameters of 2236bits, and EDCH curve of ANSI X9.62 Prime 256v1 for the best security and compatibility.

However, it is known that old and unsupported Java versions (such as Java6), or users of the OpenJDK Java implementation rather than the official Oracle Java, are incapable of handling DH parameters over 1024bits in length, and rather than falling back to using another cipher suite, fails to connect. The use of 1024bit DH parameters would be in violation of current security standards so is not supported by Monetra. Also, integrators should be advised that old Java versions would not be PCI compliant due to their lack of updates, support, and security fixes; therefore this is not considered a compatibility issue.

The proper fix is to upgrade the version of Java being used. The issue was fixed as of Java 7u21. For users of OpenJDK, you should update to version 8 or use the Bouncy Castle crypto provider, or use Oracle's official Java version.

Some official Java bug reports here: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7044060 http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6521495

If it is required to use such a version of Java, and has been signed off on by the Acquirer, then workarounds do exist such as those suggested here: http://stackoverflow.com/a/6862383

Finally, as of Monetra 7 update 14.4, there is a configuration flag in the main.conf file of ssl_dh_enable. If that configuration is set to no, DH parameters will not be loaded at all in Monetra. However, ECDH parameters will still be loaded which should allow modern clients to continue to connect with Forward Secrecy.