Diffie-Hellman limit issues with java 1.7 and Connection Failure

Suppose calling a https url.

Error is was returning:

ErrorDetail    I/O Exception: peer not authenticated
Filecontent    Connection Failure
Mimetype    Unable to determine MIME type of file.
Statuscode    Connection Failure. Status code unavailable.

Debugging this ended up with with an error like so:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair


Added certificate of the URL to the cacerts file with keytool
No luck

Changed to unlimited strength like so http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
No luck

Added this to JVM 1.7 config (not sure this is even supported)
-Djdk.tls.ephemeralDHKeySize=2048
No luck


Tried switching to JVM 1.8 config;
-Djdk.tls.ephemeralDHKeySize=2048
No luck

Added DH to in java.security disabledAlgorithms
jdk.certpath.disabledAlgorithms=MD2,DH

Bingo

Given that Diffle-Hellman key exchange of 1024 can be possibly broken, this is probably not such a bad thing.





Comments

Popular posts from this blog

cf_sql_timestamp vs cf_sql_date vs getdate()

Global SQL Procedure, System Objects and sp_ms_marksystemobject

Ghost Records, Card Recon and PCI Compliance