Bug 1185345
| Summary: | java-1.8.0-openjdk: Please add support for DH with key sizes > 2048 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mikolaj Izdebski <mizdebsk> |
| Component: | java-1.8.0-openjdk | Assignee: | Andrew John Hughes <ahughes> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 21 | CC: | ahughes, dbhole, jerboaa, jvanek, omajid |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-01-23 19:36:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1163501 *** |
Description of problem: I am trying to connect to Fedora HTTP servers, which use ECDHE-RSA-AES128-GCM-SHA256 cipher with 4096-bit public key. Currently Java fails with java.security.InvalidAlgorithmParameterException stating that key size cannot be greater than 2048 bits. The limit on key size seems to be arbitrary to me. Would it be possible to allow larger key sizes? Also some servers are using key sizes like 2047 (often because random number generator happened to generate smaller primes, even though user requested size 2048), so it would be good if the multiply-of-64-bits limit was removed too. Version-Release number of selected component (if applicable): 1.8.0.25-5.b18.fc21 Steps to Reproduce: $ cat <<EOF >TestFedoraHTTPS.java public class TestFedoraHTTPS { public static void main(String[] args) throws Exception { new java.net.URL("https://fedorapeople.org/").openStream(); } } EOF $ javac TestFedoraHTTPS.java $ java TestFedoraHTTPS Actual results: Exception in thread "main" javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1874) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1857) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1378) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1511) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1439) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at java.net.URL.openStream(URL.java:1038) at TestFedoraHTTPS.main(TestFedoraHTTPS.java:3) Caused by: java.lang.RuntimeException: Could not generate DH keypair at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:136) at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:686) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:936) at sun.security.ssl.Handshaker.process_record(Handshaker.java:871) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371) ... 8 more Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive) at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DHKeyPairGenerator.java:120) at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:657) at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:127) ... 15 more Expected results: no exception