javax.net.ssl.SSLException in jMeter

Question

I am testing some functionality on server. It was working fine till yesterday. Today they have enabled ssl to server (i.e, From http to https). Now when I am running my test pla

Answer 1

Dupe of Java: Why does SSL handshake give 'Could not generate DH keypair' exception? and Java 7 and Could not generate DH keypair except update Java8 has lifted the DH limit to 2048.

This occurs when your client Java (JSSE) and the server negotiate a ciphersuite using ephemeral Diffie-Hellman (DHE) and the server uses D-H size larger than 1024 bits and your client Java doesn't support it. This depends on the combination of your client Java version and the server implementation and (usually) configuration, which you don't specify.

If your client (here jmeter) runs on Java6 or Java7, it cannot handle DH size over 1024, which is now considered necessary for security and required by authorities like NIST for the US government. Solutions in descending desirability are:

• run client on Java8 (assuming server only wants DHE 2048 bits as is now standard/conventional)

• if the server also supports ECDHE, and either prefers it over DHE or honors client preference, use edit any Java8 or /edit recent Java7 (which supports ECDHE and prefers it after about 7u09) or use Java6 with an ECC provider added (which supports and prefers ECDHE) (but Java6 is no longer supported and thus a Bad Idea in general, as well as possibly not supporting a recently-compiled client).

• if the server also supports plain-RSA (no ephemeral) change your client to only negotiate that. For standard Java HttpsURLConnection this can be done with system property https.cipherSuites; I don't know if Apache httpclient does the same or equivalent. This does not provide Perfect Forward Secrecy for your client, which is less than ideal but more than nothing.

• change the server to use DHE of 1024 bits (a little less secure for other clients) or only plain-RSA (even less secure for others)