clj-http-lite icon indicating copy to clipboard operation
clj-http-lite copied to clipboard
verified publisher icon hiredman

Workaround for "DH Keypair could not be generated"

Open adambard opened this issue 12 years ago • 2 comments

Hey, this is more of an FYI than a serious pull request. I had some trouble making requests to Reddit's API from Heroku thanks to an OpenJDK issue that disallows DH SSL over 1024 bits. I came up with this workaround more-or-less based on http://stackoverflow.com/questions/10687200/java-7-and-could-not-generate-dh-keypair

I'm not sure how common this issue is, and I won't take it personally if you just close it, but I'm sending a pull for posterity anyhow.

adambard avatar Aug 22 '13 04:08 adambard

thanks for the pr. I feel a little iffy about it for three reasons:

  1. disabling all DH cipher suites
  2. requiring AOT compilation
  3. not configurable

if you are interested in addressing those three points, that would be cool, if not I'll see if I can so no worries

hiredman avatar Aug 26 '13 16:08 hiredman

  1. Definitely, it's a sketchy workaround with narrow applicability.
  2. I had some trouble getting it to play nice with proxy, but I could give it another go.
  3. I don't know what other situation it would be necessary to start wholesale disabling cipher suites. Perhaps a :disable-dh-cipher-suites option accepted by core/request would be sufficient? Or perhaps just a :wrap-connection option what would let me (the user) commit whatever unadvisable connection factory mangling I want in my application code?

adambard avatar Aug 28 '13 04:08 adambard