Reputation: 136655
What does "Reason: DHPublicKey does not comply to algorithm constraints" mean?
I saw this error when I wanted to connect to another machine:
SEVERE: Could not create connection XXXXX: XXXXX Error establishing socket to host and port: XXXXX:XXXXX. Reason: DHPublicKey does not comply to algorithm constraints
What is the reason for that?
Upvotes: 1
Views: 8522
Answers (1)
Reputation: 136655
The reason was that the server only supported weak ciphers. While updating the server is certainly the clean/good solution, the quick one is to remove the constraints as mentioned here:
Within /usr/lib/jvm/default-java/jre/lib/security/java.security or - depending on your OS - /etc/crypto-policies/back-ends/java.config you have a line
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
Notice the DH keySize < 1024. So no keys which are smaller are allowed.
Replacing this with
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
or completely removing the DH keySize < 1024 part could solve the problem.
You can do this via
$ sed -i "s/ DH keySize < 1024,//" /usr/lib/jvm/default-java/jre/lib/security/java.security
Upvotes: 10
Related Questions
- What "SecretKeyFactory not available" does mean?
- DH ServerKeyExchange does not comply to algorithm constraints
- Java generate DH public key size is not the same size as sample that documentation have
- Errors returned when trying to decrypt data using Secretkey
- java.security.InvalidKeyException: Parameters missing
- DHGEX failing with 2048-bit key under Java 8, but succeeding with 1024-bit key
- java.security.spec.InvalidKeySpecException and Inappropriate key specification error in java program
- java.security.NoSuchAlgorithmException: Algorithm PBKDF2WithHmacSHA1 not available
- Java Encryption setup fails with InvalidKeySpecException
- How to correctly encode DH parameters using BouncyCastle in Java?