function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Ashish AgarwalAshish Agarwal 

System.CalloutException: java.lang.RuntimeException: Could not generate DH keypair


I am trying to get access token from Go Instant . But when I did this,It gives me following error

System.CalloutException: java.lang.RuntimeException: Could not generate DH keypair

I asked  this with Go Instatnt people and they gave me following answer;

It sounds like your SSL Library doesn't support 2048-bit DH parameters. Take a look at the BouncyCastle SSL Library as an alternative to what you're using. If you continue to have problems after changing to BouncyCastle, please email us at support at so we can do a more in-depth debug of your problems.

I dont know how can I know about the ssl liabrary of salesforce and how to check what features are available with this liabrary.

Please help me with this problem.

Ines CostaInes Costa

Hi Ashish,

I've also just seen this error but this time calling a SAP endpoint using Apex/Callouts:
14:10:50.257 (257356275)|SYSTEM_METHOD_ENTRY|[73]|WebServiceCallout.invoke(APEX_OBJECT, APEX_OBJECT, MAP, LIST)
14:10:50.515 (515142006)|EXCEPTION_THROWN|[73]|System.CalloutException: IO Exception: java.lang.RuntimeException: Could not generate DH keypair
14:10:50.757 (757192877)|SYSTEM_METHOD_EXIT|[73]|WebServiceCallout.invoke(APEX_OBJECT, APEX_OBJECT, MAP, LIST)

This is the first time i've encountered it. Did you ever contact Salesforce support? Any solutions? Or was it proven that it's an issue associated to the endpoint/external system (NOT salesforce)?

Many thanks in advance,


Ashish AgarwalAshish Agarwal

Hi Ines,

This issue is totally associated with external system ,you are calling from salesforce.

I had this issue when I was dealing with go-Instant webservice. And I got following reply from them

Your have to configure your external SAP system correctly to be able to call web services from salesforce.


Ines CostaInes Costa
Hi Ashish,

I thought so. I've already raised the issue with our SAP team so they can have a look.
Thank you for the feedback! It's appreciated. :)

Hi all-

Recently our hosting provider upgraded servers which now requires the DH keypair to be a 2048 keypair vs 1024. We tested and sure enough reverting to the old version where 1024 works. It appears as though the java version in Apex is incompatible with generating this higher strength keypair. Is there any way to force Apex to up the strength somehow?
Maria Ines CostaMaria Ines Costa


We had the same issue and our IT seemed to think it was caused by Salesforce Java app does not seeming to work with newer Ciphers:
I don't think there is a way to force Apex to change the security settings - our workaround was to change the server configurations that Salesforce was trying to reach (in our case it was SAP) - configfile somewhere!


Thanks for the response.

Does anyone from monitor this board? If so, is it not possible to have an up to date Java version installed for use with Apex? It seems like without a recent version of Java, security is at risk. I find it hard to believe that salesforce isn't more up to date in this regard.

I'm having the same issue with my application.  Any help here would be much appreciated.
J V 4J V 4
We are experiencing the same problem here. It can not be expected that all callout services stay behind in their security because of salesforce.  Any feedback from the Salesforce would be highly appreciated! 
J V 4J V 4
I also submitted a case to Salesforce support. Unfortunately we do not have the proper support access level to get the case handled.  Maybe someone with the proper support level could submit a case?
Admin User 433Admin User 433
We are having this issue with one of our customers too. I agree fully with aq_dev. I would expect the highest standards here. Asking other technology companies to lower their security standards is not a message of strenght.
I noticed that a fix is expected for summer 2015. No guarantees. Is anyone aware of an intermediate fix? Or a workaround?