SEVERE: Error running socket processor java.lang.RuntimeException: Could not generate DH keypair
search cancel

SEVERE: Error running socket processor java.lang.RuntimeException: Could not generate DH keypair

book

Article ID: 378055

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When reviewing the Messaging Gateway catalina.out log file a number of SEVERE level errors appear indicating problems generating Diffie Hellman keys for a TLS connection. 

Aug 23, 2024 12:54:22 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor doRun
SEVERE: Error running socket processor
java.lang.RuntimeException: Could not generate DH keypair
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1564)
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:545)
...
Caused by: java.lang.RuntimeException: Could not generate DH keypair
        at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:142)
        at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:103)
        at sun.security.ssl.ServerHandshaker.setupEphemeralDHKeys(ServerHandshaker.java:1573)
...
Caused by: java.security.InvalidAlgorithmParameterException: DH Parameters without subprime Q are not FIPS 140 approved, specify using DSAParameterSpec or X942DHParameterSpec
        at com.rsa.cryptoj.o.kp.a(Unknown Source)
        at com.rsa.cryptoj.o.kt.initialize(Unknown Source)
        at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:128)
        ... 20 more

Cause

The SMG Control Center web application does not allow DH key exchange to be used as DH key exchange is considered insecure but a ciphersuite using DHE key exchange is listed in the web application configuration:

cc [10.9.0-3]> cc-config --status | grep ciphers
Control Center ciphers are:  'TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA'.

Resolution

The DHE key exchange ciphersuites are removed in SMG 10.9.2.

This error does not affect TLS negotiation and may be safely ignored but to manually remove the DHE ciphersuites in earlier releases:

  1. Log into the Control Center command line as admin via ssh / putty
  2. Run the following command to modify the list of available ciphersuites:
    cc-config set-ciphers --ciphers 'TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA'

This will remove the DHE ciphersuites from the web application cipher list.

Powered by Wolken Software