What does “Reason: DHPublicKey does not comply to algorithm constraints” mean?

Question

I saw this error when I wanted to connect to another machine:

SEVERE: Could not create connection XXXXX: XXXXX Error establishing socket to host and por

Answer 1

The reason was that the server only supported weak ciphers. While updating the server is certainly the clean/good solution, the quick one is to remove the constraints as mentioned here:

Within /usr/lib/jvm/default-java/jre/lib/security/java.security or - depending on your OS - /etc/crypto-policies/back-ends/java.config you have a line

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \

Notice the DH keySize < 1024. So no keys which are smaller are allowed.

Replacing this with

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \

or completely removing the DH keySize < 1024 part could solve the problem.

You can do this via

$ sed -i "s/ DH keySize < 1024,//" /usr/lib/jvm/default-java/jre/lib/security/java.security