SEVERE: Error running socket processor java.lang.RuntimeException: Could not generate DH keypair
search cancel

SEVERE: Error running socket processor java.lang.RuntimeException: Could not generate DH keypair

book

Article ID: 378055

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When reviewing the Messaging Gateway catalina.out log file a number of SEVERE level errors appear indicating problems generating Diffie Hellman keys for a TLS connection. 

Aug 23, 2024 12:54:22 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor doRun
SEVERE: Error running socket processor
java.lang.RuntimeException: Could not generate DH keypair
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1564)
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:545)
...
Caused by: java.lang.RuntimeException: Could not generate DH keypair
        at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:142)
        at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:103)
        at sun.security.ssl.ServerHandshaker.setupEphemeralDHKeys(ServerHandshaker.java:1573)
...
Caused by: java.security.InvalidAlgorithmParameterException: DH Parameters without subprime Q are not FIPS 140 approved, specify using DSAParameterSpec or X942DHParameterSpec
        at com.rsa.cryptoj.o.kp.a(Unknown Source)
        at com.rsa.cryptoj.o.kt.initialize(Unknown Source)
        at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:128)
        ... 20 more

Cause

The SMG Control Center web application does not allow DH key exchange to be used as DH key exchange is considered insecure but a ciphersuite using DHE key exchange is listed in the web application configuration:

cc [10.9.0-3]> cc-config --status | grep ciphers
Control Center ciphers are:  'TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA'.

Resolution

This error does not affect TLS negotiation and may be safely ignored. The DHE key exchange ciphersuites will be removed in version 10.9.1.

To manually remove the DHE ciphersuites:

  1. Log into the Control Center command line as admin via ssh / putty
  2. Run the following command to modify the list of available ciphersuites:
    cc-config set-ciphers --ciphers 'TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA'

This will remove the DHE ciphersuites from the web application cipher list.

Powered by Wolken Software