Description of problem: I am trying to connect to Fedora HTTP servers, which use ECDHE-RSA-AES128-GCM-SHA256 cipher with 4096-bit public key. Currently Java fails with java.security.InvalidAlgorithmParameterException stating that key size cannot be greater than 2048 bits. The limit on key size seems to be arbitrary to me. Would it be possible to allow larger key sizes? Also some servers are using key sizes like 2047 (often because random number generator happened to generate smaller primes, even though user requested size 2048), so it would be good if the multiply-of-64-bits limit was removed too. Version-Release number of selected component (if applicable): 1.8.0.25-5.b18.fc21 Steps to Reproduce: $ cat <<EOF >TestFedoraHTTPS.java public class TestFedoraHTTPS { public static void main(String[] args) throws Exception { new java.net.URL("https://fedorapeople.org/").openStream(); } } EOF $ javac TestFedoraHTTPS.java $ java TestFedoraHTTPS Actual results: Exception in thread "main" javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1874) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1857) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1378) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1511) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1439) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at java.net.URL.openStream(URL.java:1038) at TestFedoraHTTPS.main(TestFedoraHTTPS.java:3) Caused by: java.lang.RuntimeException: Could not generate DH keypair at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:136) at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:686) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:936) at sun.security.ssl.Handshaker.process_record(Handshaker.java:871) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371) ... 8 more Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive) at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DHKeyPairGenerator.java:120) at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:657) at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:127) ... 15 more Expected results: no exception
*** This bug has been marked as a duplicate of bug 1163501 ***