[Netarchivesuite-devel] HTTPS and DH keypair
Nicholas Clarke
nicl at kb.dk
Fri Apr 1 13:42:39 CEST 2016
Hi Sara
Most of the world obsoleted 1024 bit RSA/DH keys last year. CAs won't sign anything below 2048 bits keys these days.
So your version of java is most likely too old to support 2048+ bit keys.
In other words I'm guessing you will have to upgrade to a JDK with more up to date crypto support.
Whether this is 1.6.0_27 or newer or JDK7 or 8 Is unknown. I haven't studied the specific crypto library in the JDK for such details.
I tried to upgrade the launcher at one point to support a different JAVA_HOME for heritrix than the controller but failed for some reason.
A workaround could be to modify the bash script that calls heritrix indirectly and set a different JAVA_HOME there. This should at least work for H3.
If you insist that JAVA_HOME should be configurable for the launched heritrix you can create a JIRA issue and let nature take its course. J
Best
Nicholas
Fra: Netarchivesuite-devel [mailto:netarchivesuite-devel-bounces at ml.sbforge.org] På vegne af sara.aubry at bnf.fr
Sendt: 24. marts 2016 15:30
Til: netarchivesuite-devel at ml.sbforge.org
Cc: bert.wendland at bnf.fr
Emne: [Netarchivesuite-devel] HTTPS and DH keypair
Hello everyone,
Still running NAS 4, heritrix 1.14 and Java 1.6.0_17. We are having more and more trouble with HTTPS websites, getting "Could not generate DH keypair" errors while crawling.
We already had some exchanges about this last year but we were wondering if some of you solved the problem and how.
Also, is there a way we could define a JAVA_HOME for heritrix which is different than the one of the HarvestController?
Thanks for your help,
Sara
----- Transféré par Sara AUBRY/ETS/BnF le 24/03/2016 15:19 -----
De : Bert WENDLAND/ETS/BnF
A : Sara AUBRY/ETS/BnF at BnF
Date : 24/03/2016 15:14
Objet : DH keypair
________________________________
2016-03-24T14:02:47.736Z -2 - https://www.estrepublicain.fr/e-services/LoginR http://www.estrepublicain.fr/e-services/Loginno-type #137 - - http://www.estrepublicain.fr/e-services/Loginle:SSLException@HTTP
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1574)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1557)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1483)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:64)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at org.archive.io.RecordingOutputStream.flush(RecordingOutputStream.java:388)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:506)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1982)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1000)
at org.archive.httpclient.HttpRecorderPostMethod.execute(HttpRecorderPostMethod.java:78)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
at org.archive.crawler.fetcher.FetchHTTP.innerProcess(FetchHTTP.java:500)
at org.archive.crawler.framework.Processor.process(Processor.java:109)
at org.archive.crawler.framework.ToeThread.processCrawlUri(ToeThread.java:306)
at org.archive.crawler.framework.ToeThread.run(ToeThread.java:154)
Caused by: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.net.ssl.internal.ssl.DHCrypt.<init>(DHCrypt.java:106)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:446)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:171)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
... 16 more
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DashoA13*..)
at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:627)
at com.sun.net.ssl.internal.ssl.DHCrypt.<init>(DHCrypt.java:100)
... 24 more
________________________________
Expositions :
Miquel Barceló. Sol y sombra<http://www.bnf.fr/fr/evenements_et_culture/anx_expositions/f.miquel_Barcelo.html> - du 22 mars 2016 au 28 août 2016 - BnF - François-Mitterrand
Avant d'imprimer, pensez à l'environnement.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.sbforge.org/pipermail/netarchivesuite-devel/attachments/20160401/4b44684a/attachment-0001.html>
More information about the Netarchivesuite-devel
mailing list