Aug 25, 2018

[HDGEM] Why handshake failures with Java-based clients when using a certificate with more than 1024 bits?

Java 7 and earlier limit their support for DH prime sizes to a maximum of 1024 bits. So there is handshake failure for DH parameters which include primes with lengths of more than 1024 bits.

If your Java-based client aborts with exceptions such as java.lang.RuntimeException: Could not generate DH keypair and java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive), and httpd logs tlsv1 alert internal error (SSL alert number 80) (at LogLevel info or higher), you can either rearrange mod_ssl's cipher list with SSLCipherSuite (possibly in conjunction with SSLHonorCipherOrder), or you can use custom DH parameters with a 1024-bit prime, which will always have precedence over any of the built-in DH parameters.

--
Posted By Blogger to HDGEM at 10/28/2016 09:43:00 AM