hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Input on solution for "Could not generate DH keypair" error w/SSL connection
Date Tue, 08 Sep 2015 08:20:36 GMT
On Mon, 2015-09-07 at 11:06 -0700, Ken Krugler wrote:
> Hi there,
> 
> Some background first…
> 
> I was using a fairly old version of HttpClient (4.2.5) to access some Wikipedia pages,
and started getting SSLPeerUnverifiedException errors while connecting.
> 
> One change was that Wikipedia recently started only supporting https connections - see
http://venturebeat.com/2015/06/12/wikipedia-to-start-using-secure-https-by-default-for-all-users/
> 
> But getting details on what was going wrong was challenging - enabling HTTP wire logging
didn't show me much useful information.
> 
> Once I enabled SSL Handshake debug via the Java VM parameter -Djavax.net.debug=ssl:handshake,
I could see that the error was "Could not generate DH keypair"
> 
> I then followed the second suggestion at http://stackoverflow.com/questions/10687200/java-7-and-could-not-generate-dh-keypair,
which involves getting rid of ciphers that cause problems with Java 7.
> 
> Here's my modified SSLSocketFactory (and yes, for 4.3 or later I should be using SSLConnectionSocketFactory)...
> 
>     private static class MySSLSocketFactory extends SSLSocketFactory {
> 
>         public MySSLSocketFactory(SSLContext sslContext) {
>             super(sslContext);
>         }
>         
>         @Override
>         protected void prepareSocket(SSLSocket socket) throws IOException {
>             super.prepareSocket(socket);
> 
>             String[] enabledCipherSuites = socket.getEnabledCipherSuites();
> 
>             // avoid hardcoding a new list, we just remove the entries
>             // which cause the exception
>             List<String> asList = new ArrayList<String>(Arrays.asList(enabledCipherSuites));
> 
>             // See http://stackoverflow.com/questions/10687200/java-7-and-could-not-generate-dh-keypair
>             // we identified the following entries causing the problems
>             // "Could not generate DH keypair"
>             // and "Caused by: java.security.InvalidAlgorithmParameterException: Prime
size must be multiple of 64, and can only range from 512 to 1024 (inclusive)"
>             asList.remove("TLS_DHE_RSA_WITH_AES_128_CBC_SHA");
>             asList.remove("SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA");
>             asList.remove("TLS_DHE_RSA_WITH_AES_256_CBC_SHA");
> 
>             socket.setEnabledCipherSuites(asList.toArray(new String[asList.size()]));
>         }
>     }
> 
> This seems to be working fine, but it feels like a hack to remove specific ciphers.
> 
> Is there a better (more robust) solution? Should this only be used if an un-hacked try
fails with this kind of problem?
> 
> Thanks,
> 
> -- Ken

Hi Ken

I see nothing hacky about this solution. Restricting ciphers enabled for
a particular SSL session looks like a normal thing to do.

Oleg


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message