At least JSSE Java uses random primes (generated at startup). However the Java 8 default of 1024 is rather weak (not to mention the 768 bit of java 6+7). Whats worse is, that clients accept down to 512 bit. (And the client side is harder to protect with ssl accelerators). But there is SunPKCS11-NSS as an provider.
