Could not generate DH keypair on SSL

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Symptoms

The following appears in the atlassian-bitbucket.log:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 2015-02-18 10:04:45,612 WARN [http-nio-7990-exec-5] @28C795x604x776664x0 3hqw0z 10.88.88.6,127.0.0.1 "POST /j_bitbucket_security_check HTTP/1.1" c.a.s.i.s.s.PluginAuthenticationProvider Co uld not authenticate lorenzo.cubero; authentication by com.atlassian.bitbucket.bitbucket-authentication:crowdHttpAuthHandler failed com.atlassian.bitbucket.user.AuthenticationSystemException: The remote authentication server is not available. Please try again later. .. .. Caused by: com.atlassian.crowd.exception.runtime.OperationFailedException: null .. .. Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[na:1.7.0_72] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) ~[na:1.7.0_72] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1842) ~[na:1.7.0_72] at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1825) ~[na:1.7.0_72] at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1751) ~[na:1.7.0_72] at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:127) ~[na:1.7.0_72] at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) ~[na:1.7.0_72] at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) ~[na:1.7.0_72]

Cause

From the Apache article, beginning with version 2.4.7, mod_ssl will use DH parameters which include primes with lengths of more than 1024 bits. However, Java 7 and earlier limit their support for DH prime sizes to a maximum of 1024 bits.

Resolution

You can do either of the following:

  • Add DH parameter limits to the target server's certificate. First, generate custom DH parameters by using openssl dhparam command and apply it with the SSLCertificateFile directive. The custom DH parameters with a 1024-bit prime will always have precedence over any of the built-in DH parameters. This has been described here.

  • Update your Java version to version 8 as the 1024-bit restriction should have been lifted to accept 2048-bit parameters.

    However, there are reports that moving up to the latest JDK release did not resolve the issue

For reference:

Updated on April 15, 2025
Platform
Data Center only
Product
Bitbucket Data Center
On this pageSymptomsCauseResolution

Still need help?

The Atlassian Community is here for you.
Ask the Community