Reputation: 601
DH key size must be multiple of 64, and can only range from 512 to 2048 (inclusive)
I have a set-up in which I am executing a build from Jenkins on a Solaris Server connecting via sshexec task in ANT.
On trigerring the build, it is throwing below error:
com.jcraft.jsch.JSchException: Session.connect: java.security.InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 2048 (inclusive). The specific key size 2047 is not supported.
After some google search, I came to know that it might be fixed by updating to Java 8. I did that, however, still no success.
Can anyone please let me know how to fix it?
Upvotes: 8
Views: 21011
Answers (2)
Reputation: 1
The JSch library (used by Jenkins or one of it's plugins) makes use of Java's JCE provider. It appears the JCE provider of your Java version can't handle the key length of 2047 bits.
You can swap your current JCE provider with a BouncyCastle provider.
While @Brian Low's workaround describes a dynamic registration of BouncyCastle as the cryptography package provider, I'd like to point out an alternative way where it's done by configuring your environment via static registration.
- Download BouncyCastle provider from bouncycastle.org
Look for the "Signed JAR Files" section and select your provider. For example, bcprov-jdk15to18-165.jar, for any Java version between 5 and 8.
- In Jenkins go to Manage Jenkins - Global Tool Configurations - JDK to verify your JDK location (JAVA_HOME).
- Copy the JAR file to $JAVA_HOME/jre/lib/ext
- Locate and edit $JAVA_HOME/jre/lib/security/java.security
Here we insert the BouncyCastle provider at the first position (most prefered) and update the others' preference number.
Example:
#
# List of providers and their preference orders (see above):
#
security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=sun.security.ec.SunEC
security.provider.5=com.sun.net.ssl.internal.ssl.Provider
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
security.provider.11=sun.security.mscapi.SunMSCAPI
At this point restart Jenkins.
Upvotes: 0
Reputation: 11811
Our fix:
Security.insertProviderAt(new BouncyCastleProvider(), 1)
we were using Jsch 0.1.54 directly to connect to an SFT server and saw:
java.security.InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 4096 (inclusive). The specific key size 2047 is not supported
possibly related
- JDK-8164963: InvalidAlgorithmParameterException prime size issue after JDK upgrade with JSCH libraries.
- DHGEX failing with 2048-bit key under Java 8, but succeeding with 1024-bit key
Upvotes: 10
Related Questions
- Why Jenkins says "Server rejected the 1 private key(s)" while launching the agent?
- Algorithm negotiation fail SSH in Jenkins
- Connecting jenkins agent: Malformed SSH byte string
- Jenkins ssh-agent Host key verification failed
- Jenkins SSH Steps invalid privatekey
- Jenkins SSH server showing error Algorithm negotiation fail while trying to setup with over the SSH plugin
- Jenkins won't deploy - SSH server 'Host key Verification failed'
- Not able to add SSH Key in Jenkins Configuration
- Java SSL DH Keypair Generation - Prime Size Error
- Algorithm negotiation fail in Jenkins