Based on an internal email discussion, this was pointed out.

    java.lang.RuntimeException: Could not generate secret[[
            at
com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:973)
            at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:485)
            at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:753)
            at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:721)

I note that DHCrypt/ECDHCrypto have this message. During the processing of other messages, we check to see if there was an exception thrown and then wrap it, but we don't do that there. Several examples:

        SecretKey getAgreedSecret(...) {
        ...deleted...
        } catch (GeneralSecurityException e) {
            throw new RuntimeException("Could not generate secret", e);
        } catch (java.io.IOException e) {
            throw new RuntimeException("Could not generate secret", e);
        }

and then in the handshakers:

        case K_DHE_RSA:
        case K_DHE_DSS:
        case K_DH_ANON:
            preMasterSecret = dh.getAgreedSecret(serverDH, true);
            break;
        case K_ECDHE_RSA:
        case K_ECDHE_ECDSA:
        case K_ECDH_ANON:
            preMasterSecret = ecdh.getAgreedSecret(ephemeralServerKey);
            break;

A RTE will propagate all the way out.

In other spots of the code (e.g. server_key_exchange), we do:

     try {
         this.serverKeyExchange(new RSA_ServerKeyExchange(input));
     } catch (GeneralSecurityException e) {
         throwSSLException("Server key", e);
     }
     break;

We should also look to see where else this is done.