upgrade activemq from 5.6 to 5.9

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

upgrade activemq from 5.6 to 5.9

devworkslogin
Hello, I am trying to upgrade from activemq 5.6 to 5.9 or later with embedded activemq broker.

When upgraded to 5.9 and our application starts, any https request fails with the following error:

Could not generate DH keypair; nested exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
 at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:607)
 at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:565)

Caused by: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
        at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown Source)
        at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:77)
       

Although it doesn't look anyway related to ActiveMQ, it does look like an older version of bouncy castle is being loaded. (We do have bc-prov-1.38.jar in the classpath)

I looked around to found that activemq 5.8 onwards, there is transitive dependency on bc-1.47.

Any recommendations on how to resolve this dependency issue? Is this an issue only with activemq 5.9 and bouncy castle or is there some other dependency issue that is not evident?



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: upgrade activemq from 5.6 to 5.9

Tim Bain
Have you tried removing your dependency on 1.38 and depending only on 1.47?
If that works, it seems like the simplest solution.

Tim

On Jul 5, 2017 4:09 PM, "devworkslogin" <[hidden email]> wrote:

> Hello, I am trying to upgrade from activemq 5.6 to 5.9 or later with
> embedded
> activemq broker.
>
> When upgraded to 5.9 and our application starts, any https request fails
> with the following error:
>
> Could not generate DH keypair; nested exception is
> javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate
> DH keypair
>  at
> org.springframework.web.client.RestTemplate.doExecute(
> RestTemplate.java:607)
>  at
> org.springframework.web.client.RestTemplate.execute(RestTemplate.java:565)
>
> Caused by: java.security.InvalidAlgorithmParameterException: parameter
> object not a ECParameterSpec
>         at
> org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown
> Source)
>         at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:77)
>
>
> Although it doesn't look anyway related to ActiveMQ, it does look like an
> older version of bouncy castle is being loaded. (We do have
> bc-prov-1.38.jar
> in the classpath)
>
> I looked around to found that activemq 5.8 onwards, there is transitive
> dependency on bc-1.47.
>
> Any recommendations on how to resolve this dependency issue? Is this an
> issue only with activemq 5.9 and bouncy castle or is there some other
> dependency issue that is not evident?
>
>
>
>
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.
> nabble.com/upgrade-activemq-from-5-6-to-5-9-tp4728235.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: upgrade activemq from 5.6 to 5.9

devworkslogin
Unfortunately, we cannot upgrade yet to bc-1.47. Is there any other approach that can be considered?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: upgrade activemq from 5.6 to 5.9

Tim Bain
Here are a few options off the top of my head:

1. Don't upgrade ActiveMQ till you can upgrade BouncyCastle.
2. Use a debugger to trace the Spring code to figure out which DH algorithm
is the one causing the problem, and then disable its use by your client
code. I've personally never used BouncyCastle, so I don't know offhand how
the disabling gets done (sorry), but I'm confident that the Internet does.
3. Split out your ActiveMQ broker into a standalone process, where its JARs
won't conflict with your app's JARs on the classpath.
4. Stop using the REST API and use the Java JMS client instead.

Tim

On Jul 6, 2017 12:30 PM, "devworkslogin" <[hidden email]> wrote:

> Unfortunately, we cannot upgrade yet to bc-1.47. Is there any other
> approach
> that can be considered?
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.
> nabble.com/upgrade-activemq-from-5-6-to-5-9-tp4728235p4728290.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
Loading...