是否有解决方法:java.lang.RuntimeException:无法生成DH密钥对 [英] Is there a workaround for: java.lang.RuntimeException: Could not generate DH keypair
问题描述
我正在测试Java应用程序。我正在尝试使用DH密码套件启动SSL握手。但是我收到以下错误:
I am testing a Java application. I am trying to start an SSL handshake using DH ciphersuite. but I am getting the following error:
java.lang.RuntimeException: Could not generate DH keypair
有人建议 BouncyCastle ,但很多人报告错误,所以如果有另一种选择,我不鼓励使用它。
Some people have suggested BouncyCastle, but many people have reported errors with it, so I am not encouraged to use it if there is another alternative.
有人建议下载 Java密码学扩展(JCE)无限强度管辖权政策文件来自 http://www.oracle.com /technetwork/java/javase/downloads/index.html 。我确实在 C:\\中替换了以下两个文件。请注意,我还注意到我在 java.security 和 java.policy \\ Program Program(x86)\ Java * \\ jre7 \lib \安全 Program Files(x86)中安装了 Java \jre7\security 程序文件我替换了两者。但是,我仍然看到同样的错误。
One have suggested downloading Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from http://www.oracle.com/technetwork/java/javase/downloads/index.html. I did replaced the following two files java.security and java.policy in C:\Program Files (x86)\Java\jre7\lib\security. Note that I also noticed that I have Java\jre7\security installed in: Program Files (x86) and Program Files and I replaced both. But, I still see the same error.
此错误是否有解决方法?
Is there any workaround for this error ?
编辑:
堆栈跟踪:
The stack trace:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at MyClass.MyClass.myFunction(MyProg.java:78)
at MyClass.MyClass.main(MyClass.java:233)
Caused by: java.lang.RuntimeException: Could not generate DH keypair
at sun.security.ssl.DHCrypt.<init>(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverKeyExchange(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
... 4 more
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DHKeyPairGenerator.java:120)
at java.security.KeyPairGenerator$Delegate.initialize(Unknown Source)
... 11 more
EDIT2:
我的代码充当尝试启动与远程服务器(网站)的SSL握手的客户端。我将客户的密码套件列表设置为:
My code is acting as a client trying to initiate SSL handshake with a remote server (website). I set the client's cipher suite list to:
{
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_NULL_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_DHE_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"
};
Java支持客户列表中的所有密码套件。如何在服务器提供长DH密钥时配置Java客户端以支持启动SSL握手?
All ciphersuites in the client's list are supported by Java. How can configure the Java client to support initiating an SSL handshake when the server offers long DH keys ?
推荐答案
是的,#6851461也基本上是#9162249和#10687200。无限强度策略不是解决方案。
Yes, basically dupe of #6851461 also #9162249 and #10687200. Unlimited strength policy is NOT the solution.
SSL / TLS客户端中DHE(和其他DH)的主要大小是必须根据从服务器接收的参数进行设置,客户不能选择不同的东西。 (这是堆栈跟踪中的ClientHandshaker.serverKeyExchange。)
The prime size for DHE (and other DH) in SSL/TLS client is and must be set from the parameters received from the server, the client can't choose something different. (That's the ClientHandshaker.serverKeyExchange in the stacktrace.)
您已经拥有ECDHE-RSA(在Java 7中可以正常工作,如果添加ECC提供程序,则为6)但不一定是BouncyCastle)优先于DHE-RSA,服务器没有选择它。您不提供普通RSA;如果你愿意没有Forward Secrecy并且服务器也是,请尝试在_DHE_RSA之前(或代替)之前添加至少一些套件,如_RSA_WITH_AES_128_CBC_SHA _RSA_WITH_RC4_128_SHA。
You already have ECDHE-RSA (which works okay in Java 7, or 6 if you add an ECC provider such as but not necessarily BouncyCastle) prioritized over DHE-RSA, and the server didn't choose it. You aren't offering plain-RSA; if you are willing to go without Forward Secrecy and the server is also, try adding at least some suites like _RSA_WITH_AES_128_CBC_SHA _RSA_WITH_RC4_128_SHA before (or instead of) the _DHE_RSA ones.
另一个可能性是要求服务器运营商使用DH 1024位,如果他们愿意并且允许的话。它实际上并没有被破坏,但是一些重要标准禁止它。
Another possibility is to ask the server operator(s) to use DH 1024-bit, if they're willing and permitted. It's not actually broken yet, but it is prohibited by some important standards.
这篇关于是否有解决方法:java.lang.RuntimeException:无法生成DH密钥对的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
