License management image can't download maven plugins from servers with strong DH SSL keys.
Summary
One of our users can't use license management. With their project, the job fails when trying to download a maven plugin from a server:
Could not generate DH keypair: DH key size must be multiple of 64, and can only range from 512 to 2048 (inclusive). The specific key size 4096 is not supported
See #8830 (closed)
Steps to reproduce
- run the license management image in an empty directory:
mkdir test
cd test
docker run -ti --entrypoint /bin/bash -v $PWD:/code -w /code registry.gitlab.com/gitlab-org/security-products/license-management:11-6-stable
- Create
Test.java
with this content ("vi" is available in the image):
import java.io.*;
import java.net.*;
public class Test {
public static void access(String url) {
System.out.println("Access " + url);
try {
new BufferedInputStream(new URL(url).openStream());
} catch (IOException e) {
e.printStackTrace();
System.out.println("Failure!");
}
System.out.println("Success!");
}
public static void main(String[] args) {
access("https://nexus.se.rwth-aachen.de/");
access("https://google.com/");
}
}
- Compile and run:
javac Test.java
java Test
What is the current bug behavior?
The program accesses https://google.com/ but not https://nexus.se.rwth-aachen.de/
What is the expected correct behavior?
The program accesses https://google.com/ and https://nexus.se.rwth-aachen.de/
Relevant logs and/or screenshots
Exception:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1906)
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1889)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1410)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at java.net.URL.openStream(URL.java:1045)
at Test.access(Test.java:10)
at Test.main(Test.java:20)
Caused by: java.lang.RuntimeException: Could not generate DH keypair
at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:142)
at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:114)
at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:711)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:268)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
... 9 more
Caused by: java.security.InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 2048 (inclusive). The specific key size 4096 is not supported
at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DHKeyPairGenerator.java:128)
at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:674)
at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:128)
... 17 more
Possible fixes
After a check with legal department, see if we can distribute https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html in our license management image.