Java SSL 握手异常:“算法约束检查失败:MD5withRSA”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/21218217/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SSL handshake exception: "Algorithm constraints check failed: MD5withRSA"
提问by egorlitvinenko
I tried to install Oracle Entitlements Server Client. When I call
我尝试安装 Oracle Entitlements Server Client。当我打电话
config.cmd -smConfigId Sample-SM -prpFileName C:\oracle\product.1.2\as_1\oessm\SMConfigTool\smconfig.java.controlled.prp
I got this Exception:
我得到了这个例外:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.OutputStream.write(OutputStream.java:75)
at oracle.security.oes.enroll.EnrollmentClient.writeToSocket(EnrollmentClient.java:330)
at oracle.security.oes.enroll.EnrollmentClient.enroll(EnrollmentClient.java:161)
at oracle.security.oes.enroll.EnrollmentClient.main(EnrollmentClient.java:478)
at oracle.security.oes.tools.EnrollmentTool.doEnroll(EnrollmentTool.java:103)
at oracle.security.oes.tools.SMConfigTool.doEnrollment(SMConfigTool.java:1192)
at oracle.security.oes.tools.SMConfigTool.run(SMConfigTool.java:617)
at oracle.security.oes.tools.SMConfigTool.main(SMConfigTool.java:546)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:260)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 15 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)
... 21 more
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA
Can you help me to find a reason?
你能帮我找个理由吗?
采纳答案by egorlitvinenko
keysergave direction for answer in comment.
keyser在评论中给出了答案的方向。
Problem was in key's length. In short: "Starting from 7u40, the use of x.509 certificates with RSA keys less than 1024 bits in length is restricted."
问题在于密钥的长度。简而言之:“从 7u40 开始,使用长度小于 1024 位的 RSA 密钥的 x.509 证书受到限制。”
So the right way to solve this problem it is using certificates with key's length at least 2048 bits.
所以解决这个问题的正确方法是使用密钥长度至少为 2048 位的证书。
回答by Igor Nardin
The problem is caused by Oracle disabling hash algorithms which are no longer considered to be secure. Take a look at
该问题是由 Oracle 禁用不再被认为是安全的哈希算法引起的。看一眼
JRE_HOME/lib/security/java.security
It contains the following properties:
它包含以下属性:
jdk.certpath.disabledAlgorithms
jdk.tls.disabledAlgorithms
You can adjust them appropriately. For example, remove MD5from the former and MD5withRSAfrom the latter.
您可以适当调整它们。例如,从前者中删除MD5,从后者中删除MD5withRSA。
Hint for docker images:
docker 镜像提示:
there is additional config file /etc/crypto-policies/back-ends/java.configin some docker images like keycloakin my case which overrides values in java.security
/etc/crypto-policies/back-ends/java.config一些 docker 镜像中有额外的配置文件,比如keycloak在我的例子中,它覆盖了java.security
