[jbosstools-issues] [JBoss JIRA] (JBIDE-18454) Cant connect to OpenShift running on RHEL 6.6 (javax.net.ssl.SSLException: Could not generate DH keypair)

Andre Dietisheim (JIRA) issues at jboss.org
Wed Oct 1 09:02:03 EDT 2014 

    [ https://issues.jboss.org/browse/JBIDE-18454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13007674#comment-13007674 ] 

Andre Dietisheim edited comment on JBIDE-18454 at 10/1/14 9:01 AM:
-------------------------------------------------------------------

My guess is that the cipher priorities are different in jdk8 and jdk7/macosx thus working even if key size for DHE ciphers are still 1024 bits. In FC20/openjdk170_51/sunjdk_170_51 i have the following priorities:

{code}
[SSL_RSA_WITH_RC4_128_MD5,
 SSL_RSA_WITH_RC4_128_SHA,
 TLS_RSA_WITH_AES_128_CBC_SHA,
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
 TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
 SSL_RSA_WITH_3DES_EDE_CBC_SHA,
 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
 SSL_RSA_WITH_DES_CBC_SHA,
 SSL_DHE_RSA_WITH_DES_CBC_SHA,
 SSL_DHE_DSS_WITH_DES_CBC_SHA,
 SSL_RSA_EXPORT_WITH_RC4_40_MD5,
 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
 TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
{code}

Weak RSA ciphers come first and were afais removed from RHEL6.6/OSE2.1: https://bugzilla.redhat.com/show_bug.cgi?id=1127667#c4 http://pkgs.devel.redhat.com/cgit/rpms/httpd/commit/?id=6efd2b3eb1501df4a792a3ebb35f435c1fa4fc3f (see -RSA). Thus DHE ciphers are then used and fail because the server is using keys > 1024.


was (Author: adietish):
My guess is that the cipher priorities are different in jdk8 and jdk7/macosx thus working even if key size for DHE ciphers are still 1024 bits. In FC20/openjdk170_51/sunjdk_170_51 i have the following priorities:

{code}
[SSL_RSA_WITH_RC4_128_MD5,
 SSL_RSA_WITH_RC4_128_SHA,
 TLS_RSA_WITH_AES_128_CBC_SHA,
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
 TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
 SSL_RSA_WITH_3DES_EDE_CBC_SHA,
 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
 SSL_RSA_WITH_DES_CBC_SHA,
 SSL_DHE_RSA_WITH_DES_CBC_SHA,
 SSL_DHE_DSS_WITH_DES_CBC_SHA,
 SSL_RSA_EXPORT_WITH_RC4_40_MD5,
 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
 TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
{code}

RSA keys that come first are all considered weak and were afais removed from RHEL6.6/OSE2.1: https://bugzilla.redhat.com/show_bug.cgi?id=1127667#c4 http://pkgs.devel.redhat.com/cgit/rpms/httpd/commit/?id=6efd2b3eb1501df4a792a3ebb35f435c1fa4fc3f (see -RSA). Thus DHE ciphers are then used and fail because the server is using keys > 1024.

> Cant connect to OpenShift running on RHEL 6.6 (javax.net.ssl.SSLException: Could not generate DH keypair)
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: JBIDE-18454
>                 URL: https://issues.jboss.org/browse/JBIDE-18454
>             Project: Tools (JBoss Tools)
>          Issue Type: Bug
>          Components: openshift
>    Affects Versions: 4.2.0.CR1
>            Reporter: Andre Dietisheim
>            Assignee: Andre Dietisheim
>            Priority: Blocker
>             Fix For: 4.2.0.CR2
>
>         Attachments: ssl-error-on-connect.png
>
>
> In https://bugzilla.redhat.com/show_bug.cgi?id=1145848 openshift-java-client cant connect to OpenShift running on RHEL 6.6 when using openjdk. We have to verify that this affects the Eclipse based tooling (that's also using openshift-java-client) 
> {code}
> java.io.IOException: com.openshift.client.OpenShiftEndpointException: Could not request https://broker.ose21z-auto.com.cn/broker/rest/api: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
>         at hudson.plugins.openshift.OpenShiftCloud.getOpenShiftConnection(OpenShiftCloud.java:186)
>         at hudson.plugins.openshift.OpenShiftCloud.getSlaves(OpenShiftCloud.java:877)
>         at hudson.plugins.openshift.OpenShiftCloud.provisionSlave(OpenShiftCloud.java:451)
>         at hudson.plugins.openshift.OpenShiftCloud.provision(OpenShiftCloud.java:413)
>         at hudson.slaves.NodeProvisioner.update(NodeProvisioner.java:281)
>         at hudson.slaves.NodeProvisioner.access$000(NodeProvisioner.java:51)
>         at hudson.slaves.NodeProvisioner$NodeProvisionerInvoker.doRun(NodeProvisioner.java:368)
>         at hudson.triggers.SafeTimerTask.run(SafeTimerTask.java:54)
>         at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>         at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
>         at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
>         at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: com.openshift.client.OpenShiftEndpointException: Could not request https://broker.ose21z-auto.com.cn/broker/rest/api: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.1#6329)

More information about the jbosstools-issues mailing list