Could not generate DH keypair on SSL
Symptoms
The following appears in the atlassian-bitbucket.log
:
2015-02-18 10:04:45,612 WARN [http-nio-7990-exec-5] @28C795x604x776664x0 3hqw0z 10.88.88.6,127.0.0.1 "POST /j_bitbucket_security_check HTTP/1.1" c.a.s.i.s.s.PluginAuthenticationProvider Co
uld not authenticate lorenzo.cubero; authentication by com.atlassian.bitbucket.bitbucket-authentication:crowdHttpAuthHandler failed
com.atlassian.bitbucket.user.AuthenticationSystemException: The remote authentication server is not available. Please try again later.
..
..
Caused by: com.atlassian.crowd.exception.runtime.OperationFailedException: null
..
..
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[na:1.7.0_72]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) ~[na:1.7.0_72]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1842) ~[na:1.7.0_72]
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1825) ~[na:1.7.0_72]
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1751) ~[na:1.7.0_72]
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:127) ~[na:1.7.0_72]
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) ~[na:1.7.0_72]
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) ~[na:1.7.0_72]
Cause
From the Apache article, beginning with version 2.4.7, mod_ssl
will use DH parameters which include primes with lengths of more than 1024 bits. However, Java 7 and earlier limit their support for DH prime sizes to a maximum of 1024 bits.
Resolution
You can do either of the following:
- Add DH parameter limits to the target server's certificate. First, generate custom DH parameters by using
openssl dhparam
command and apply it with the SSLCertificateFile directive. The custom DH parameters with a 1024-bit prime will always have precedence over any of the built-in DH parameters. This has been described here. Update your Java version to version 8 as the 1024-bit restriction should have been lifted to accept 2048-bit parameters.
However, there are reports that moving up to the latest JDK release did not resolve the issue
For reference: