gfsh failed to connect with GemFire Locator with error "Unable to form SSL connection"
search cancel

gfsh failed to connect with GemFire Locator with error "Unable to form SSL connection"

book

Article ID: 294067

calendar_today

Updated On:

Products

VMware Tanzu Gemfire

Issue/Introduction

Symptoms:
Here is the Error: 
gfsh>connect --locator=remotehost[7900] --use-ssl --security-properties-file=/home/app/gemfire.properties --user=user1
password: ********
Connecting to Locator at [host=remotehost, port=7900] ..
Unable to form SSL connection

Locator's Log: 
[info 2018/11/01 01:01:01.005 EST remotehost_locator <locator request thread[123]> tid=0x444] Exception in processing request from 10.35.31.110
javax.net.ssl.SSLException: Error generating DH server key exchange
at sun.security.ssl.Handshaker.throwSSLException(Handshaker.java:1391)
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:886)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:224)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1010)
at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:368)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.InvalidKeyException: The security strength of SHA-1 digest algorithm is not sufficient for this key size
at sun.security.provider.DSA.checkKey(DSA.java:111)
at sun.security.provider.DSA.engineInitSign(DSA.java:143)
at java.security.SignatureSpi.engineInitSign(SignatureSpi.java:103)
at java.security.Signature$Delegate.init(Signature.java:1155)
at java.security.Signature$Delegate.chooseProvider(Signature.java:1112)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1185)
at java.security.Signature.initSign(Signature.java:550)
at sun.security.ssl.HandshakeMessage$DH_ServerKeyExchange.<init>(HandshakeMessage.java:750)
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:882)
... 12 more

Gemfire Server JDK version and Certificate info: 
Signature algorithm name: SHA256withDSA
Subject Public Key Algorithm: 2048-bit DSA key
OpenJDK version "1.8.0_151"

gfsh client JDK version: 
OpenJDK Runtime Environment (build 1.8.0_64)

Environment


Cause

OpenJDK1.8.0_151 has a change in the default key size like the below. When gfsh client with JDK lower than 1.8.0_151 will shake hands with Gemfire Server jvm with default key size 1024, Gemfire Server signed with 20148 key size will throw out the exception like "The security strength of SHA-1 digest algorithm is not sufficient for this key size". 
Changes Refactor existing providers to refer to the same constants for default values for key length 
Two important changes have been made for this issue:
A new system property has been introduced that allows users to configure the default key size used by the JDK provider implementations of KeyPairGenerator and AlgorithmParameterGenerator. This property is named "jdk.security.defaultKeySize" and the value of this property is a list of comma-separated entries. Each entry consists of a case-insensitive algorithm name and the corresponding default key size (in decimal) separated by ':'. In addition, white space is ignored.
By default, this property will not have a value, and JDK providers will use their own default values. Entries containing an unrecognized algorithm name will be ignored. If the specified default key size is not a parseable decimal integer, that entry will be ignored as well.

The DSA KeyPairGenerator implementation of the SUN provider no longer implements java.security.interfaces.DSAKeyPairGenerator. Applications which cast the SUN provider's DSA KeyPairGenerator object to a java.security.interfaces.DSAKeyPairGenerator can set the system property "jdk.security.legacyDSAKeyPairGenerator". If the value of this property is 'true', the SUN provider will return a DSA KeyPairGenerator object which implements the java.security.interfaces.DSAKeyPairGenerator interface. This legacy implementation will use the same default value as specified by the javadoc in the interface.
By default, this property will not have a value, and the SUN provider will return a DSA KeyPairGenerator object which does not implement the forementioned interface and thus can determine its own provider-specific default value as stated in the java.security.KeyPairGenerator class or by the 'jdk.security.defaultKeySize' system property if set.
JDK-8181048 (not public)
*1: https://java.com/en/download/faq/release_changes.xml

Resolution

Upgrading the client's OpenJDK version from build 1.8.0_64 to build 1.8.0_151 will resolve this issue.

Powered by Wolken Software