Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
None
-
None
-
None
-
Froyo
-
Not Needed
-
Description
From puppet-dev:
The only hitch I've had was with the Foreman report processor, which
makes an HTTPS connection to Apache with mod_ssl. On new OSes with
modern mod_ssl versions (e.g. EL7 or Ubuntu 14.04), the report processor
fails to make an HTTPS connection from the JVM with the error:2014-09-26 08:56:09,984 ERROR [puppet-server] Report processor failed:
Could not send report to Foreman at
https://foreman.example.com/api/reports: Could not generate DH keypair
["sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)", ...]This is a well-known problem between JVM clients and recent mod_ssl
versions, as the DH prime length supported by the JVM is limited.
Adding the DH parameter limits to the server's certificate worked around
the problem.http://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh
Java 8 worked slightly better in that it accepts 2048 bit parameters,
but the default combination is still a problem. I guess it might affect
others using HTTPS from the master.
Attachments
Issue Links
- relates to
-
SERVER-136 docs for new client ssl configuration
-
- Closed
-