[jbosstools-issues] [JBoss JIRA] (JBIDE-18454) Cant connect to OpenShift running on RHEL 6.6 when using openjdk (javax.net.ssl.SSLException: Could not generate DH keypair)

Andre Dietisheim (JIRA) issues at jboss.org
Tue Sep 30 08:30:02 EDT 2014 

    [ https://issues.jboss.org/browse/JBIDE-18454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13007263#comment-13007263 ] 

Andre Dietisheim edited comment on JBIDE-18454 at 9/30/14 8:29 AM:
-------------------------------------------------------------------

*Why is this happening?*
The current version of the JDK doesn't support EDH key sizes larger than 1024 bits.

>From https://bugzilla.redhat.com/show_bug.cgi?id=1035818#c41:
The openjdk-1.7.0 as shipped in RHEL-6.6 beta doesn't support ECC (and by extension ECDHE), see bug 1121211 for details. That's why it doesn't negotiate ECDHE cipher suite and falls back to DHE even though the server does negotiate it with NSS or openssl clients.

This wasn't a problem in prior versions of httpd because DHE keys larger than 1024 bits weren't being provided during handshake. The upcoming httpd offers larger DHE keys by default and would require obscure configuration changes to match the current behavior.

The httpd configuration shipped with OSE includes an SSLCipherSuite which prefers ECDHE and EDH ciphers over others (which may work with "old" JDK clients). Java clients tell httpd that they can use EDH, but the maximum keysize either can't be or isn't specified during handshake, leading to the issue at hand.



was (Author: adietish):
Apparently the problem is lacking support for DHE keys < 1024 bits. In Sun jdk this was fixed in 2013 while openjdk is still not corrected. 
In http://stackoverflow.com/questions/6851461/java-why-does-ssl-handshake-give-could-not-generate-dh-keypair-exception the solution they found was to remove the *DHE* cypher and force using a different cypher.

> Cant connect to OpenShift running on RHEL 6.6 when using openjdk (javax.net.ssl.SSLException: Could not generate DH keypair)
> ----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: JBIDE-18454
>                 URL: https://issues.jboss.org/browse/JBIDE-18454
>             Project: Tools (JBoss Tools)
>          Issue Type: Bug
>          Components: openshift
>    Affects Versions: 4.2.0.CR1
>            Reporter: Andre Dietisheim
>            Priority: Blocker
>
> In https://bugzilla.redhat.com/show_bug.cgi?id=1145848 openshift-java-client cant connect to OpenShift running on RHEL 6.6 when using openjdk. We have to verify that this affects the Eclipse based tooling (that's also using openshift-java-client) 
> {code}
> java.io.IOException: com.openshift.client.OpenShiftEndpointException: Could not request https://broker.ose21z-auto.com.cn/broker/rest/api: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
>         at hudson.plugins.openshift.OpenShiftCloud.getOpenShiftConnection(OpenShiftCloud.java:186)
>         at hudson.plugins.openshift.OpenShiftCloud.getSlaves(OpenShiftCloud.java:877)
>         at hudson.plugins.openshift.OpenShiftCloud.provisionSlave(OpenShiftCloud.java:451)
>         at hudson.plugins.openshift.OpenShiftCloud.provision(OpenShiftCloud.java:413)
>         at hudson.slaves.NodeProvisioner.update(NodeProvisioner.java:281)
>         at hudson.slaves.NodeProvisioner.access$000(NodeProvisioner.java:51)
>         at hudson.slaves.NodeProvisioner$NodeProvisionerInvoker.doRun(NodeProvisioner.java:368)
>         at hudson.triggers.SafeTimerTask.run(SafeTimerTask.java:54)
>         at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>         at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
>         at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
>         at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: com.openshift.client.OpenShiftEndpointException: Could not request https://broker.ose21z-auto.com.cn/broker/rest/api: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.1#6329)

More information about the jbosstools-issues mailing list