[2.1.3-Java] Problem with SSL connections
746 views
Skip to first unread message
William Lebel
Aug 29, 2013, 7:19:04 PM8/29/13
to play-fr...@googlegroups.com
Hello everybody!
I searched on google about the InvalidAlgorithmParameterException problem. I found this topic on StackOverflow http://stackoverflow.com/questions/6851461/java-why-does-ssl-handshake-give-could-not-generate-dh-keypair-exception. It says that the problem is fixed in the recent java builds but I have 1.7.0_25 so I really don't know how to fix it. Anybody got ideas?
I'm getting a error on contacting a SSL website (https://api.digitalocean.com) using WS. Problem is that it doesn't happen all the time so it's quite hard to pin-point why it does it.
play.api.Application$$anon$1: Execution exception[[RuntimeException: Could not generate DH keypair]] at play.api.Application$class.handleError(Application.scala:289) ~[play_2.10.jar:2.1.3] at play.api.DefaultApplication.handleError(Application.scala:383) ~[play_2.10.jar:2.1.3] at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$play$core$server$netty$PlayDefaultUpstreamHandler$$handle$1$1.apply(PlayDefaultUpstreamH at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$play$core$server$netty$PlayDefaultUpstreamHandler$$handle$1$1.apply(PlayDefaultUpstreamH at play.api.libs.concurrent.PlayPromise$$anonfun$extend1$1.apply(Promise.scala:113) ~[play_2.10.jar:2.1.3] at play.api.libs.concurrent.PlayPromise$$anonfun$extend1$1.apply(Promise.scala:113) ~[play_2.10.jar:2.1.3]Caused by: java.lang.RuntimeException: Could not generate DH keypair at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1359) ~[na:1.7.0_25] at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513) ~[na:1.7.0_25] at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790) ~[na:1.7.0_25] at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758) ~[na:1.7.0_25] at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[na:1.7.0_25] at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1216) ~[netty.jar:na]Caused by: java.lang.RuntimeException: Could not generate DH keypair at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:136) ~[na:1.7.0_25] at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:621) ~[na:1.7.0_25] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:205) ~[na:1.7.0_25] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) ~[na:1.7.0_25] at sun.security.ssl.Handshaker$1.run(Handshaker.java:808) ~[na:1.7.0_25] at sun.security.ssl.Handshaker$1.run(Handshaker.java:806) ~[na:1.7.0_25]Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive) at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DHKeyPairGenerator.java:120) ~[na:na] at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:658) ~[na:1.7.0_25] at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:127) ~[na:1.7.0_25] at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:621) ~[na:1.7.0_25] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:205) ~[na:1.7.0_25] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) ~[na:1.7.0_25]
I searched on google about the InvalidAlgorithmParameterException problem. I found this topic on StackOverflow http://stackoverflow.com/questions/6851461/java-why-does-ssl-handshake-give-could-not-generate-dh-keypair-exception. It says that the problem is fixed in the recent java builds but I have 1.7.0_25 so I really don't know how to fix it. Anybody got ideas?
Here's the piece of code if you need:
public static int createDroplet(String name, long size_id, long image_id, long region_id) { int result = 0; WS.Response response = getBaseURL("droplets/new") .setQueryParameter("name", name) .setQueryParameter("size_id", String.valueOf(size_id)) .setQueryParameter("image_id", String.valueOf(image_id)) .setQueryParameter("region_id", String.valueOf(region_id)).get().get(); JsonNode node = response.asJson(); if (node.has("status") && node.get("status").asText().equals("OK")) { result = node.get("droplet").get("id").asInt(); }
return result; }
public static WS.WSRequestHolder getBaseURL(String path) { return WS.url(DIGITAL_OCEAN_API_URL + path).setQueryParameter("client_id", CLIENT_ID).setQueryParameter("api_key", API_KEY); }
Thanks in advance!
William
Daniel Alexiuc
May 31, 2015, 10:15:30 PM5/31/15
to play-fr...@googlegroups.com
I'm getting the same error caused by the Java SSL bug. It seems like Java 1.8 kicks the can down the road a little, but still doesn't fix the problem.
Is there any workaround I can use? Has anyone had success excluding the DH algorithm somehow, and still being able to use Play WS?
Daniel
Will Sargent
Jun 1, 2015, 3:20:13 PM6/1/15
to play-fr...@googlegroups.com
You're talking about a DH problem from last year:
This has been discussed in Oracle's security-dev mailing list, and there is a bug open for it:
The notes in JDK 1.8 on customizing DH keys are here:
so you should try jdk.tls.ephemeralDHKeySize=2048 at least to see if it's the default legacy behavior at issue. If not, you can try disabling DH with
It's probably ECDH,
jdk.tls.disabledAlgorithms="DHE keySize < 2048, ECDH keySize < 2048, ECDHE keySize < 2048, RSA keySize < 2048"
Make sure you define this as a property when you invoke Java, as setting it in the JVM itself is problematic:
If you really want to be paranoid, you can run Play with -jvm-debug, attach a debugger, and set a breakpoint inside the ServerHandshaker and verify it's not doing a DH key exchange directly:
--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/b204b599-4622-4fe5-b059-f074cce4ba01%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages