Could not generate DH keypair on SSL

その他

このページの内容

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

症状

atlassian-stash.log に次のメッセージが表示される。

2015-02-18 10:04:45,612 WARN  [http-nio-7990-exec-5] @28C795x604x776664x0 3hqw0z 10.88.88.6,127.0.0.1 "POST /j_stash_security_check HTTP/1.1" c.a.s.i.s.s.PluginAuthenticationProvider Co
uld not authenticate lorenzo.cubero; authentication by com.atlassian.stash.stash-authentication:crowdHttpAuthHandler failed
com.atlassian.stash.user.AuthenticationSystemException: The remote authentication server is not available. Please try again later.
..
..
Caused by: com.atlassian.crowd.exception.runtime.OperationFailedException: null
..
..
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[na:1.7.0_72]
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) ~[na:1.7.0_72]
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1842) ~[na:1.7.0_72]
	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1825) ~[na:1.7.0_72]
	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1751) ~[na:1.7.0_72]
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:127) ~[na:1.7.0_72]
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) ~[na:1.7.0_72]
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) ~[na:1.7.0_72]

原因

From the Apache article, beginning with version 2.4.7, mod_ssl will use DH parameters which include primes with lengths of more than 1024 bits. However, Java 7 and earlier limit their support for DH prime sizes to a maximum of 1024 bits.

ソリューション

You can do either of the following:

  • Add DH parameter limits to the target server's certificate. First, generate custom DH parameters by using openssl dhparam command and apply it with the SSLCertificateFile directive. The custom DH parameters with a 1024-bit prime will always have precedence over any of the built-in DH parameters. This has been described here.
  • Update your Java version to version 8 as the 1024-bit restriction should have been lifted to accept 2048-bit parameters.
    (warning) However, there are reports that moving up to the latest JDK release did not resolve the issue

For reference:

 

最終更新日 2016 年 3 月 30 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.