After upgrading CA PAM to versions 4.2.X, trying to connect to some Windows servers, the following error appears

RDP failed with SSL connection error internal_error(80)

When checking the CA PAM Client log after having set the Applet in debug in CA PAM, there is the following message

2025-09-03 12:46:57 INFO  - Caused by: java.lang.NullPointerException: Cannot invoke "org.bouncycastle.tls.TlsDHGroupVerifier.accept(org.bouncycastle.tls.crypto.DHGroup)" because "dhGroupVerifier" is null     syserr.write [PAM Access Agent-3]
2025-09-03 12:46:57 INFO  -      syserr.write [PAM Access Agent-3]
2025-09-03 12:46:57 INFO  -     at org.bouncycastle.tls.TlsDHUtils.receiveDHConfig(TlsDHUtils.java:137)     syserr.write [PAM Access Agent-3]
2025-09-03 12:46:57 INFO  -      syserr.write [PAM Access Agent-3]
2025-09-03 12:46:57 INFO  -     at org.bouncycastle.tls.TlsDHEKeyExchange.processServerKeyExchange(TlsDHEKeyExchange.java:95)     syserr.write [PAM Access Agent-3]

CA PAM 4.2.X all versions up to 4.2.3

The error is caused by servers configured with  1024 as the DH key length. Bouncy castle has been upgraded in the latest versions of PAM and it does not, by default, support 1024 bit DH key lengths.

As a result Bouncy Castle fails with null pointer exception (as there is no DHGroupVerifier for 1024 bit key length) and in turn fails with internal_error(80).

This issue exists in all 4.2.X versions and should be published as a generic  hotfix for all versions. Please check in the CA PAM Hotfixes page. If you can't find the fix there, please open a case with Support

TLS error 80 in connection to a RDP server is a generic error code for handshake-related problems. As such there are other use cases where handshake to Windows results in the same error code. Please check  KB390687 for another problem leading to the same error code