[JBoss JIRA] (JBIDE-18454) Cant connect to OpenShift running on RHEL 6.6 when using openjdk (javax.net.ssl.SSLException: Could not generate DH keypair)
7:32 a.m.
[
https://issues.jboss.org/browse/JBIDE-18454?page=com.atlassian.jira.plugi...
]
Andre Dietisheim edited comment on JBIDE-18454 at 9/30/14 8:31 AM:
-------------------------------------------------------------------
*Why is this happening?*
The current version of the JDK doesn't support DEH key sizes larger than 1024 bits.
{quote}
The openjdk-1.7.0 as shipped in RHEL-6.6 beta doesn't support ECC (and by extension
ECDHE), see https://bugzilla.redhat.com/show_bug.cgi?id=1121211 for details. That's
why it doesn't negotiate ECDHE cipher suite and falls back to DHE even though the
server does negotiate it with NSS or openssl clients.
{quote}
This wasn't a problem in prior versions of httpd because DHE keys larger than 1024
bits weren't being provided during handshake. The upcoming httpd offers larger DHE
keys by default and would require obscure configuration changes to match the current
behavior.
The httpd configuration shipped with OSE includes an SSLCipherSuite which prefers ECDHE
and EDH ciphers over others (which may work with "old" JDK clients). Java
clients tell httpd that they can use EDH, but the maximum keysize either can't be or
isn't specified during handshake, leading to the issue at hand.
was (Author: adietish):
*Why is this happening?*
The current version of the JDK doesn't support DEH key sizes larger than 1024 bits.
{quote}
The openjdk-1.7.0 as shipped in RHEL-6.6 beta doesn't support ECC (and by extension
ECDHE), see bug 1121211 for details. That's why it doesn't negotiate ECDHE cipher
suite and falls back to DHE even though the server does negotiate it with NSS or openssl
clients.
{quote}
This wasn't a problem in prior versions of httpd because DHE keys larger than 1024
bits weren't being provided during handshake. The upcoming httpd offers larger DHE
keys by default and would require obscure configuration changes to match the current
behavior.
The httpd configuration shipped with OSE includes an SSLCipherSuite which prefers ECDHE
and EDH ciphers over others (which may work with "old" JDK clients). Java
clients tell httpd that they can use EDH, but the maximum keysize either can't be or
isn't specified during handshake, leading to the issue at hand.
Cant connect to OpenShift running on RHEL 6.6 when using openjdk
(javax.net.ssl.SSLException: Could not generate DH keypair)
----------------------------------------------------------------------------------------------------------------------------
Key: JBIDE-18454
URL: https://issues.jboss.org/browse/JBIDE-18454
Project: Tools (JBoss Tools)
Issue Type: Bug
Components: openshift
Affects Versions: 4.2.0.CR1
Reporter: Andre Dietisheim
Priority: Blocker
In https://bugzilla.redhat.com/show_bug.cgi?id=1145848 openshift-java-client cant connect
to OpenShift running on RHEL 6.6 when using openjdk. We have to verify that this affects
the Eclipse based tooling (that's also using openshift-java-client)
{code}
java.io.IOException: com.openshift.client.OpenShiftEndpointException: Could not request
https://broker.ose21z-auto.com.cn/broker/rest/api: javax.net.ssl.SSLException:
java.lang.RuntimeException: Could not generate DH keypair
at
hudson.plugins.openshift.OpenShiftCloud.getOpenShiftConnection(OpenShiftCloud.java:186)
at hudson.plugins.openshift.OpenShiftCloud.getSlaves(OpenShiftCloud.java:877)
at
hudson.plugins.openshift.OpenShiftCloud.provisionSlave(OpenShiftCloud.java:451)
at hudson.plugins.openshift.OpenShiftCloud.provision(OpenShiftCloud.java:413)
at hudson.slaves.NodeProvisioner.update(NodeProvisioner.java:281)
at hudson.slaves.NodeProvisioner.access$000(NodeProvisioner.java:51)
at
hudson.slaves.NodeProvisioner$NodeProvisionerInvoker.doRun(NodeProvisioner.java:368)
at hudson.triggers.SafeTimerTask.run(SafeTimerTask.java:54)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.openshift.client.OpenShiftEndpointException: Could not request
https://broker.ose21z-auto.com.cn/broker/rest/api: javax.net.ssl.SSLException:
java.lang.RuntimeException: Could not generate DH keypair
{code}
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
4022
days inactive
4022
days old
jbosstools-issues@lists.jboss.org
0 comments
1 participants
participants (1)
-
Andre Dietisheim (JIRA)