Details
-
Type:
Bug
-
Status: Accepted
-
Priority:
Normal
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Template:customfield_10700 52925
-
Epic Link:
-
Team:Server
Description
From puppet-dev:
The only hitch I've had was with the Foreman report processor, which
makes an HTTPS connection to Apache with mod_ssl. On new OSes with
modern mod_ssl versions (e.g. EL7 or Ubuntu 14.04), the report processor
fails to make an HTTPS connection from the JVM with the error:2014-09-26 08:56:09,984 ERROR [puppet-server] Report processor failed:
Could not send report to Foreman at
https://foreman.example.com/api/reports: Could not generate DH keypair
["sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)", ...]This is a well-known problem between JVM clients and recent mod_ssl
versions, as the DH prime length supported by the JVM is limited.
Adding the DH parameter limits to the server's certificate worked around
the problem.http://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh
Java 8 worked slightly better in that it accepts 2048 bit parameters,
but the default combination is still a problem. I guess it might affect
others using HTTPS from the master.
Attachments
Issue Links
- relates to
-
SERVER-136 docs for new client ssl configuration
-
- Closed
-
