That would be very unfortunate. I hope it is fixed, this is certainly
something that should be configurable. For what its worth IIS (5+) does use
a stronger (larger) prime and does not suffer this issue.
On Wed, Mar 31, 2010 at 11:53 PM, Kumar Jayanti <Vbkumar.Jayanti_at_sun.com>wrote:
> the following recent thread
> http://forums.sun.com/thread.jspa?threadID=5425442
>
> seems to indicate that this is not possible. But i will need to check with
> the JDK folks and get back to you.
>
>
>
> NBW wrote:
>
> I should have also mentioned this is on GF v2.1 (Sun Java System
> Application Server 9.1_02 (build b04-fcs))
>
> On Wed, Mar 31, 2010 at 2:10 PM, NBW <emailnbw_at_gmail.com> wrote:
>
>> I am trying to establish an SSL connection between VLC and Glassfish using
>> the default self signed cert from GF. After exporting this cert using:
>>
>> <JAVA_HOME>/bin/keytool -export -rfc -alias s1as -keystore
>> <GLASSFISH_HOME>/domains/<DOMAIN_NAME>/config/keystore.jks -file s1as.pem
>>
>> and placing the PEM file into C:\Documents and Settings\alice\Application
>> Data\vlc\ssl\certs as required by VLC I am seeing the following error from
>> VLC when going to the https URL hosted by GF:
>>
>>
>> *gnutls error: TLS handshake error: The Diffie Hellman prime sent by the
>> server is not acceptable (not long enough).
>> main error: TLS client session handshake error
>> gnutls debug: GnuTLS deinitialized*
>>
>> At some point GNU-TLS, which VLC uses, upped the requirement for the min.
>> length of the DH prime it receives from the server. It appears GF's is too
>> short. I am hoping there is some property I can set in the admin console to
>> bump this up, perhaps a JVM property. Also it would be nice to be able to
>> see this setting in the server.log if there is a log/trace setting that will
>> cause it to dump.
>>
>> Any insight is appreciated, thanks,
>>
>> -Noah
>>
>>
>
>