You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Dennis Lundberg <de...@apache.org> on 2015/06/25 20:35:46 UTC
Unable to deploy to repository.apache.org using Java 6 any more
Hi
I finally sat down today to start the release of maven-pmd-plugin.
Unfortunately I didn't get very far. When I try to "mvn deploy" the
latest SNAPSHOT I get this error:
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy
(default-deploy) on project maven-pmd-plugin: Failed to retrieve
remote metadata
org.apache.maven.plugins:maven-pmd-plugin:3.5-SNAPSHOT/maven-metadata.xml:
Could not transfer metadata
org.apache.maven.plugins:maven-pmd-plugin:3.5-SNAPSHOT/maven-metadata.xml
from/to apache.snapshots.https
(https://repository.apache.org/content/repositories/snapshots): peer
not authenticated -> [Help 1]
First I checked my credentials and they looked good. After some
googling I suspected an SSL certificate problem, so I checked the cert
for repository.apache.org and found that it is relatively new. At
least more recent than my last release... Then I tried SSLPoke [1]
which is small and simple to use in such cases. With Java 6 I get this
error:
G:\>java SSLPoke repository.apache.org 443
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not
generate DH keypair
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1708)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1691)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1617)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:105)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:114)
at SSLPoke.main(SSLPoke.java:31)
Caused by: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.net.ssl.internal.ssl.DHCrypt.<init>(DHCrypt.java:114)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:559)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:186)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
... 2 more
Caused by: java.security.InvalidAlgorithmParameterException: Prime
size must be multiple of 64, and can only range from 512 to 1024
(inclusive)
at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DashoA13*..)
at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:627)
at com.sun.net.ssl.internal.ssl.DHCrypt.<init>(DHCrypt.java:107)
... 10 more
and with Java 7 it works fine
G:\>java SSLPoke repository.apache.org 443
Successfully connected
One solution that usually works is to copy the cacerts file from a
more recent Java version, so that you get the most recent list of CA
certificates. I did that, and got the same error as before.
So, where does that leave us? Well it seems that the certificate that
has been deployed to repository.apache.org uses some kind of
encryption technique that Java 6 cannot handle. See the stack trace
above for the details, but my guess that the new cert uses a prime
that is more than 1024 in size.
AFAICT that means that anyone at the ASF wanting to to a release via
repository.apahce.org must do so using Java 7. It would be great if
someone could confirm and even greater if you could reject my
findings...
[1] https://confluence.atlassian.com/display/FISHKB/PKIX+Path+Building+Failed+-+Cannot+Set+Up+Trusted+Applications+To+SSL+Services
--
Dennis Lundberg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Unable to deploy to repository.apache.org using Java 6 any more
Posted by Dennis Lundberg <de...@apache.org>.
Thanks Bernd,
Unfortunately that property is only available in Java 7 and newer.
On Thu, Jul 2, 2015 at 11:05 PM, Bernd Eckenfels <ec...@zusammenkunft.net> wrote:
> issues.apache.org (JIRA) has the same problem. The 4096bit DHE prime
> is not supported by Java (not even 1.8). It helps to disable DHE
> completely in jre/lib/security/java.security:
>
> jdk.tls.disabledAlgorithms=MD5, RC4, SSLv3, DSA, RSA keySize < 2048, DHE
>
> Gruss
> Bernd
>
>
> Am
> Thu, 25 Jun 2015 20:35:46 +0200 schrieb Dennis Lundberg
> <de...@apache.org>:
>
>> Hi
>>
>> I finally sat down today to start the release of maven-pmd-plugin.
>> Unfortunately I didn't get very far. When I try to "mvn deploy" the
>> latest SNAPSHOT I get this error:
>>
>> [ERROR] Failed to execute goal
>> org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy
>> (default-deploy) on project maven-pmd-plugin: Failed to retrieve
>> remote metadata
>> org.apache.maven.plugins:maven-pmd-plugin:3.5-SNAPSHOT/maven-metadata.xml:
>> Could not transfer metadata
>> org.apache.maven.plugins:maven-pmd-plugin:3.5-SNAPSHOT/maven-metadata.xml
>> from/to apache.snapshots.https
>> (https://repository.apache.org/content/repositories/snapshots): peer
>> not authenticated -> [Help 1]
>>
>> First I checked my credentials and they looked good. After some
>> googling I suspected an SSL certificate problem, so I checked the cert
>> for repository.apache.org and found that it is relatively new. At
>> least more recent than my last release... Then I tried SSLPoke [1]
>> which is small and simple to use in such cases. With Java 6 I get this
>> error:
>>
>> G:\>java SSLPoke repository.apache.org 443
>> javax.net.ssl.SSLException: java.lang.RuntimeException: Could not
>> generate DH keypair
>> at
>> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1708)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1691)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1617)
>> at
>> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:105)
>> at
>> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:114)
>> at SSLPoke.main(SSLPoke.java:31) Caused by:
>> java.lang.RuntimeException: Could not generate DH keypair at
>> com.sun.net.ssl.internal.ssl.DHCrypt.<init>(DHCrypt.java:114) at
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:559)
>> at
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:186)
>> at
>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
>> at
>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
>> at
>> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100) ...
>> 2 more Caused by: java.security.InvalidAlgorithmParameterException:
>> Prime size must be multiple of 64, and can only range from 512 to
>> 1024 (inclusive) at
>> com.sun.crypto.provider.DHKeyPairGenerator.initialize(DashoA13*..) at
>> java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:627)
>> at com.sun.net.ssl.internal.ssl.DHCrypt.<init>(DHCrypt.java:107) ...
>> 10 more
>>
>> and with Java 7 it works fine
>>
>> G:\>java SSLPoke repository.apache.org 443
>> Successfully connected
>>
>> One solution that usually works is to copy the cacerts file from a
>> more recent Java version, so that you get the most recent list of CA
>> certificates. I did that, and got the same error as before.
>>
>> So, where does that leave us? Well it seems that the certificate that
>> has been deployed to repository.apache.org uses some kind of
>> encryption technique that Java 6 cannot handle. See the stack trace
>> above for the details, but my guess that the new cert uses a prime
>> that is more than 1024 in size.
>>
>> AFAICT that means that anyone at the ASF wanting to to a release via
>> repository.apahce.org must do so using Java 7. It would be great if
>> someone could confirm and even greater if you could reject my
>> findings...
>>
>>
>> [1]
>> https://confluence.atlassian.com/display/FISHKB/PKIX+Path+Building+Failed+-+Cannot+Set+Up+Trusted+Applications+To+SSL+Services
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
--
Dennis Lundberg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Unable to deploy to repository.apache.org using Java 6 any more
Posted by Bernd Eckenfels <ec...@zusammenkunft.net>.
issues.apache.org (JIRA) has the same problem. The 4096bit DHE prime
is not supported by Java (not even 1.8). It helps to disable DHE
completely in jre/lib/security/java.security:
jdk.tls.disabledAlgorithms=MD5, RC4, SSLv3, DSA, RSA keySize < 2048, DHE
Gruss
Bernd
Am
Thu, 25 Jun 2015 20:35:46 +0200 schrieb Dennis Lundberg
<de...@apache.org>:
> Hi
>
> I finally sat down today to start the release of maven-pmd-plugin.
> Unfortunately I didn't get very far. When I try to "mvn deploy" the
> latest SNAPSHOT I get this error:
>
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy
> (default-deploy) on project maven-pmd-plugin: Failed to retrieve
> remote metadata
> org.apache.maven.plugins:maven-pmd-plugin:3.5-SNAPSHOT/maven-metadata.xml:
> Could not transfer metadata
> org.apache.maven.plugins:maven-pmd-plugin:3.5-SNAPSHOT/maven-metadata.xml
> from/to apache.snapshots.https
> (https://repository.apache.org/content/repositories/snapshots): peer
> not authenticated -> [Help 1]
>
> First I checked my credentials and they looked good. After some
> googling I suspected an SSL certificate problem, so I checked the cert
> for repository.apache.org and found that it is relatively new. At
> least more recent than my last release... Then I tried SSLPoke [1]
> which is small and simple to use in such cases. With Java 6 I get this
> error:
>
> G:\>java SSLPoke repository.apache.org 443
> javax.net.ssl.SSLException: java.lang.RuntimeException: Could not
> generate DH keypair
> at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1708)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1691)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1617)
> at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:105)
> at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:114)
> at SSLPoke.main(SSLPoke.java:31) Caused by:
> java.lang.RuntimeException: Could not generate DH keypair at
> com.sun.net.ssl.internal.ssl.DHCrypt.<init>(DHCrypt.java:114) at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:559)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:186)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
> at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100) ...
> 2 more Caused by: java.security.InvalidAlgorithmParameterException:
> Prime size must be multiple of 64, and can only range from 512 to
> 1024 (inclusive) at
> com.sun.crypto.provider.DHKeyPairGenerator.initialize(DashoA13*..) at
> java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:627)
> at com.sun.net.ssl.internal.ssl.DHCrypt.<init>(DHCrypt.java:107) ...
> 10 more
>
> and with Java 7 it works fine
>
> G:\>java SSLPoke repository.apache.org 443
> Successfully connected
>
> One solution that usually works is to copy the cacerts file from a
> more recent Java version, so that you get the most recent list of CA
> certificates. I did that, and got the same error as before.
>
> So, where does that leave us? Well it seems that the certificate that
> has been deployed to repository.apache.org uses some kind of
> encryption technique that Java 6 cannot handle. See the stack trace
> above for the details, but my guess that the new cert uses a prime
> that is more than 1024 in size.
>
> AFAICT that means that anyone at the ASF wanting to to a release via
> repository.apahce.org must do so using Java 7. It would be great if
> someone could confirm and even greater if you could reject my
> findings...
>
>
> [1]
> https://confluence.atlassian.com/display/FISHKB/PKIX+Path+Building+Failed+-+Cannot+Set+Up+Trusted+Applications+To+SSL+Services
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Unable to deploy to repository.apache.org using Java 6 any more
Posted by Tibor Digana <ti...@apache.org>.
Also have to use jdk 7 in deployment.
This post says that it's a kind of wildcard issue, I guess on host.
https://community.oracle.com/thread/2517881
I don't have JDK 6 on my system. Only 5 and 7.
The first time I deployed to Nexus the SSL version made problem and
therefore had to set property -Dhttps.protocols="TLSv1" in maven_opts. Try
with this, maybe it will change for you.
--
View this message in context: http://maven.40175.n5.nabble.com/Unable-to-deploy-to-repository-apache-org-using-Java-6-any-more-tp5838627p5838651.html
Sent from the Maven Developers mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org