Reputation: 1249
AWS: Could not generate DH keypair with openjdk-1.7.0_65
Since a Linux update yesterday on my AWS machine I cannot connect to a HTTPS site anymore. I get the following error when running my Groovy (Java) script:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1842)
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1825)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1346)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:439)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:424)
at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:178)
at org.jsoup.helper.HttpConnection.get(HttpConnection.java:167)
at org.jsoup.Connection$get$1.call(Unknown Source)
at SiteConnector.run(SiteConnector.groovy:59)
at groovy.lang.GroovyShell.runScriptOrMainOrTestOrRunnable(GroovyShell.java:258)
at groovy.lang.GroovyShell.run(GroovyShell.java:502)
at groovy.lang.GroovyShell.run(GroovyShell.java:491)
at groovy.ui.GroovyMain.processOnce(GroovyMain.java:650)
at groovy.ui.GroovyMain.run(GroovyMain.java:381)
at groovy.ui.GroovyMain.process(GroovyMain.java:367)
at groovy.ui.GroovyMain.processArgs(GroovyMain.java:126)
at groovy.ui.GroovyMain.main(GroovyMain.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.codehaus.groovy.tools.GroovyStarter.rootLoader(GroovyStarter.java:106)
at org.codehaus.groovy.tools.GroovyStarter.main(GroovyStarter.java:128)
Caused by: java.lang.RuntimeException: Could not generate DH keypair
at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:136)
at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:621)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:205)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
... 24 more
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DHKeyPairGenerator.java:120)
at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:658)
at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:127)
... 31 more
I assume Amazon Linux has a new dependency to a Java version (1.7.0_65) with this bug - how can I get around it (https://stackoverflow.com/a/16687105/438001 mentions problems in the Java version)? What is a Java version without this problem and how can I install it on AWS (What would be the correct repository to resolve the dependency - Amazon Linux only shows me the current Java version to install with yum).
If the Java version is not the problem how can I get the following line working again (btw. this is line 59 mentioned in the stacktrace):
Jsoup.connect(httpsURL).userAgent(USER_AGENT).timeout(TIMEOUT).get()
Many thanks in advance, Joerg
Upvotes: 0
Views: 1978
Answers (2)
Reputation: 1697
If your case is like mine, that for some reason you can't upgrade java to java 8, what worked for me was udpdating java 7, then upgrading NSS. I'm running centos 6.5, it had same java version, 1.7.0_65.
It updated to java verion 1.7.0_85, and to upgrade nss, I ran "sudo yum upgrade nss", then everything worked.
Got solution in this blog. I hope this helps somebody in the future.
Upvotes: 0
Reputation: 1249
Finally, my solution was to install Java 8 (jdk-8u20-linux-x64.tar.gz) based on these instructions - as @owlstead mentioned at least Java 8 can support the encryption. I'm not sure if the problem occured due to the update of the AWS linux machine or if the website I tried to contact updated their encryption method (that was then incompatible with Java 7's encryption technique).
Upvotes: 1
Related Questions
- AWS Java SDK SSL Certificates
- OpenJDK 11 error "Can not initialize cryptographic mechanism"
- Why does SSL handshake give 'Could not generate DH keypair' exception?
- AWS Java SDK PKIX path building failed
- Getting Could not generate DH keypair Exception
- java.security.InvalidKeyException: invalid key format
- Java 7 and Could not generate DH keypair
- javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message( in java)
- Java SSL DH Keypair Generation - Prime Size Error
- SSLHandshakeException while using AWS SDK for Java API