Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-17

'Could not generate DH keypair' when issuing HTTPS requests to certain servers

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 6.0.0
    • Component/s: None
    • Labels:
      None
    • Release Notes:
      Not Needed
    • Release Notes Summary:
      Hide
      That this was fixed was found when reviewing existing known issues in our documentation. Since this appears to have been resolved some time ago this PR includes the removal of it from our known issues: https://github.com/puppetlabs/puppetserver/pull/1815
      Show
      That this was fixed was found when reviewing existing known issues in our documentation. Since this appears to have been resolved some time ago this PR includes the removal of it from our known issues: https://github.com/puppetlabs/puppetserver/pull/1815

      Description

      From puppet-dev:

      The only hitch I've had was with the Foreman report processor, which
      makes an HTTPS connection to Apache with mod_ssl. On new OSes with
      modern mod_ssl versions (e.g. EL7 or Ubuntu 14.04), the report processor
      fails to make an HTTPS connection from the JVM with the error:

      2014-09-26 08:56:09,984 ERROR [puppet-server] Report processor failed:
      Could not send report to Foreman at
      https://foreman.example.com/api/reports: Could not generate DH keypair
      ["sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)", ...]

      This is a well-known problem between JVM clients and recent mod_ssl
      versions, as the DH prime length supported by the JVM is limited.
      Adding the DH parameter limits to the server's certificate worked around
      the problem.

      http://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh

      Java 8 worked slightly better in that it accepts 2048 bit parameters,
      but the default combination is still a problem. I guess it might affect
      others using HTTPS from the master.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  chris Chris Price
                  QA Contact:
                  Erik Dasher
                • Votes:
                  5 Vote for this issue
                  Watchers:
                  22 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: