{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 干净又极端 的问题《Could not generate DH keypair from proxy server》','https://www.manongdao.com/q-1070207.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am getting the below Error on hitting an third party URL via proxy sever which has the java version 1.6.0_26.
java.lang.RuntimeException: Could not generate DH keypair
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1612)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1595)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1521)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:64)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at org.owasp.webscarab.model.Request.writeDirect(Request.java:234)
at org.owasp.webscarab.model.Request.writeDirect(Request.java:215)
at org.owasp.webscarab.httpclient.URLFetcher.fetchResponse(URLFetcher.java:251)
at org.owasp.webscarab.plugin.proxy.ConnectionHandler.run(ConnectionHandler.java:346)
at java.lang.Thread.run(Thread.java:662)
I have searched for and found that this may due to Open JDK 1.6 doesn't support > 1024 bits encryption. So it will be resolved when we replace the JCE patched jar from http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
I have downloaded and replaced the JCE jar files, now i can able to get the response of the page.
Here my question is, It is stated that the issue is due to the website is using 2048 bit encryption, it will be resolved by replacing the JCE jar of Unlimited Strength.
But i could see most of the url which i am using has only 2048 bit encryption, working fine even in open JDK 1.6.
So i suspect that there may be some other reason to get the above exception only for URL which errored..
Any one can help me in this.....
Dupe of Is there a workaround for: java.lang.RuntimeException: Could not generate DH keypair .
To be exact, the problem is with Diffie-Hellman key agreement, or key exchange, of more than 1024 bits, not encryption as such. Java 6 and 7 -- at least from Sun/Oracle -- have this limit, and the Unlimited Strength policy does not change it.
Besides going to Java 8 (or a proxy that isn't Java at all, like httpd or squid) the only way to make it work is to avoid DHE key exchange on a server that wants to use DH bigger than 1024. Java 7 does (by default) enable ECC suites, which depending on the server(s) will often result in selecting ECDHE instead of DHE, which does avoid the problem.
To be clear, you are saying the same URL (or site) worked after only adding Unlimited Strength policy? That's a bit odd. Unlimited Strength policy does enable the AES-256 ciphersuites in the client offered list; it's conceivable that the server accepts (plain)RSA-AES256 and DHE-RSA-AES128 but not RSA-AES128, so that adding the former changes the selection. It's also possible that the webserver config changed, or that it is actually a farm or CDN or something where different server instances vary slightly.
If you are talking about different URLs/sites, it's dead easy for some sites to use a smaller DHE group or no DHE at all.
If you're checking the "encryption" of a site by looking at a browser cert display -- or at the certificate in Java code, which is the same data without the convenient GUI -- that shows only the certificate public key size, almost always RSA 2048 today (www.cabforum.org used to encourage 2048, and as of the beginning of 2014 they require it). Nothing requires the DHE group to be the same size as the certificate (RSA) key, although it's good practice. I don't know any browser display that shows DHE size (if used), and the Java API definitely does NOT provide it.