Could not generate DH keypair on SSL

Miscellaneous

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Symptoms

The following appears in the atlassian-stash.log:

2015-02-18 10:04:45,612 WARN  [http-nio-7990-exec-5] @28C795x604x776664x0 3hqw0z 10.88.88.6,127.0.0.1 "POST /j_stash_security_check HTTP/1.1" c.a.s.i.s.s.PluginAuthenticationProvider Co
uld not authenticate lorenzo.cubero; authentication by com.atlassian.stash.stash-authentication:crowdHttpAuthHandler failed
com.atlassian.stash.user.AuthenticationSystemException: The remote authentication server is not available. Please try again later.
..
..
Caused by: com.atlassian.crowd.exception.runtime.OperationFailedException: null
..
..
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[na:1.7.0_72]
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) ~[na:1.7.0_72]
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1842) ~[na:1.7.0_72]
	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1825) ~[na:1.7.0_72]
	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1751) ~[na:1.7.0_72]
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:127) ~[na:1.7.0_72]
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) ~[na:1.7.0_72]
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) ~[na:1.7.0_72]

Cause

From the Apache article, beginning with version 2.4.7, mod_ssl will use DH parameters which include primes with lengths of more than 1024 bits. However, Java 7 and earlier limit their support for DH prime sizes to a maximum of 1024 bits.

Resolution

You can do either of the following:

  • Add DH parameter limits to the target server's certificate. First, generate custom DH parameters by using openssl dhparam command and apply it with the SSLCertificateFile directive. The custom DH parameters with a 1024-bit prime will always have precedence over any of the built-in DH parameters. This has been described here.
  • Update your Java version to version 8 as the 1024-bit restriction should have been lifted to accept 2048-bit parameters.
    (warning) However, there are reports that moving up to the latest JDK release did not resolve the issue

For reference:

 

Last modified on Mar 30, 2016

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.