Diffie-Hellman limit issues with java 1.7 and Connection Failure

Suppose calling a https url.

Error is was returning:

ErrorDetail    I/O Exception: peer not authenticated
Filecontent    Connection Failure
Mimetype    Unable to determine MIME type of file.
Statuscode    Connection Failure. Status code unavailable.

Debugging this ended up with with an error like so:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair


Added certificate of the URL to the cacerts file with keytool
No luck

Changed to unlimited strength like so http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
No luck

Added this to JVM 1.7 config (not sure this is even supported)
-Djdk.tls.ephemeralDHKeySize=2048
No luck


Tried switching to JVM 1.8 config;
-Djdk.tls.ephemeralDHKeySize=2048
No luck

Added DH to in java.security disabledAlgorithms
jdk.certpath.disabledAlgorithms=MD2,DH

Bingo

Given that Diffle-Hellman key exchange of 1024 can be possibly broken, this is probably not such a bad thing.





Comments

Post a Comment

Popular posts from this blog

Global SQL Procedure, System Objects and sp_ms_marksystemobject

You may come across a need to have a database of utils full of generic procedures which work on indvidual databases (say client databases). You can't pass the database name into the procedure as a parameter and say "use @dbname" in the procedure and dynamic sql sucks. One workaround is to create the procedure in the master database and then mark it as a system object. eg use [master] create procedure sp_doThis // note the sp_ prefix is required begin // etc etc end go exec sp_ms_marksystemobject 'sp_doThis' // second note, this procedure is undocumented, so I wouldn't be relying on this for life or death. use [myotherdb] exec sp_doThis go All done!
Read more

cf_sql_timestamp vs cf_sql_date vs getdate()

If there's one thing I don't like it is people confusing a date with a timestamp, and how a lazy bit of development can ruin a load of data. Here is a simple query inserting data to a timestamp I found in a system where all the created dates were truncated because of the incorrect syntax. Bad one which was in use: insert into testdate values (<cfqueryparam cfsqltype="cf_sql_date" value="#createodbcdatetime(now())#">); Result :  2015-09-29 00:00:00.000 Best One (easiest to read) insert into testdate values(getdate() ); Result : 2015-09-29 10:10:09.880 Not great (no binding) insert into testdate values(#createodbcdatetime(now())#); Result :  2015-09-29 10:14:44.000 What the bad one should have been insert into testdate values(<cfqueryparam cfsqltype=" cf_sql_timestamp " value="#createodbcdatetime(now())#">)
Read more

Lucee 4.5.2 cfpdfparam difference with Adobe ColdFusion

Suppose the following on Lucee 4.5.2: <cfset x = 1> <cfdocument format="pdf" pagetype="A4" name="myVar#x#"> <cfdocumentsection> Hi there </cfdocumentsection> </cfdocument> <cfpdf action="merge" destination="RAM:///myPDF.pdf" overwrite="yes">     <cfpdfparam source="#evaluate("myVar#x#")#" /> </cfpdf> <cfcontent file="RAM:///myPDF.pdf" type="application/pdf"> then to check it also runs on Adobe Cf; you'd actually end up with: "ByteArray objects cannot be converted to strings."   The original code for Adobe CF ran with the paramater like so:  <cfpdfparam source="myVar#x#" /> Both sets of documentation list source defined as follows: "Source PDF file to merge. You can specify a PDF variable, a cfdocument variable, or the pathname to a file." This would indicate it is just...
Read more