My web service in jetty with OpenJDK1.8.0 try to establish an HTTPS connection to an Microsoft server , and I got this error:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
......
Trust Microsoft server's certificate looks fine:
Public Key: RSA (2048 Bits)
Signature Algorithm: sha256RSA
Signature hash algorithm: sha256
None algorathm matched the jre_path/lib/security/java.security disableAlgorithm:
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
I checked TLS Cipher Suite support both in jetty and Microsoft , everything look fine:
TLS1_1: ECDHE-RSA-AES256-SHA
TLS1_2: ECDHE-RSA-AES256-SHA384
TLS1: ECDHE-RSA-AES256-SHA
My question:
What caused "Certificates does not conform to algorithm constraints" exception?
As far as I know,OpenJDK supports unlimited strength crypto without the need for additional policy files.Is anythong I omitted?
Thanks!
Caused by the signature algorithm in the certificate used in Windows server adopted an alogrithm in the future TLSv1.3 standard, so the OpenJDK throwen this exception.
Related
Our application still runs on a Tomcat v7.0.47. Now our client requested that we limit the TLS connections to TLSv1.2+ and only allow a specific subset of ciphers. So in server.xml inside the Connector element I specified sslEnabledProtocols="TLSv1.2,TLSv1.3" and
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE-RSA-AES256-SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE-RSA-AES256-GCM-SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE-RSA-AES256-SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE-RSA-AES128-SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE-RSA-AES128-GCM-SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE-RSA-AES128-SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384"
as requested.
But when the client (actually a reverse proxy) connects to that Tomcat I get the following error in the catalina.out:
Oct 11, 2022 11:20:16 AM org.apache.tomcat.util.net.NioEndpoint setSocketOptions
SEVERE:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
at sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62)
at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
at sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:97)
at org.apache.tomcat.util.net.SecureNioChannel.reset(SecureNioChannel.java:89)
at org.apache.tomcat.util.net.SecureNioChannel.<init>(SecureNioChannel.java:71)
at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:666)
at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:808)
at java.lang.Thread.run(Thread.java:750)
javax.net.ssl|FINE|B5|http-nio-8443-Acceptor-0|2022-10-11 11:20:16.045 CEST|HandshakeContext.java:304|No available cipher suite for TLS12
javax.net.ssl|SEVERE|B5|http-nio-8443-Acceptor-0|2022-10-11 11:20:16.045 CEST|TransportContext.java:316|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
at sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62)
at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
at sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:97)
at org.apache.tomcat.util.net.SecureNioChannel.reset(SecureNioChannel.java:89)
at org.apache.tomcat.util.net.SecureNioChannel.<init>(SecureNioChannel.java:71)
at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:666)
at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:808)
at java.lang.Thread.run(Thread.java:750)}
)```
So, obviously this Tomcat does not "know" or is unable to locate the required ciphers.
Any idea how I can add or configure these? Is there an additional library required to support these ciphers? Or some config that needs to be enabled?
The Tomcat runs on Java 8 (jdk8u322-b06)
My spring boot application could not work with old SSL certificate after upgrading to spring boot 2.6 and Java 17.
After debuging, seems there was problem with TLS version or ciphers suite. I don't have experience with this. But, I tried generate the new self signed SSL certificate, and it works fine.
Debugging with javax.net.debug, and got unclear message. It's different btw using Firefox and Chrome. Here is debug log with Firefox:
2022-09-20 15:26:33.448 [WARN] o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA for TLSv1.3
2022-09-21 09:46:48.214 [WARN] o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|ERROR|F6|https-jsse-nio-5151-exec-1|2022-09-21 09:46:48.215 BST|TransportContext.java:363|Fatal (INTERNAL_ERROR): problem unwrapping net record (
"throwable" : {
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:145)
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:612)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:483)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:215)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1764)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:833)}
)
Does anyone have experience with this?
I am trying to connect Rest service from my application. And my application is deployed to WAS server.
I am using Spring RestTemplate to consumer the rest service and everything working fine in my local WAS setup.
But when i deploy my code to QA environment (lower environment region), i am getting below error in my log file.
[4/30/18 17:18:22:355 EDT] 00000207 SystemErr R org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://host:port/resourcename": com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=XXX Root CA, O="The XXX Services Group, Inc." is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error; nested exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=XXX Root CA, O="The XXX Services Group, Inc." is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
[4/30/18 17:18:22:355 EDT] 00000207 SystemErr R at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:607)
[4/30/18 17:18:22:356 EDT] 00000207 SystemErr R at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:557)
[4/30/18 17:18:22:357 EDT] 00000207 SystemErr R at org.springframework.web.client.RestTemplate.postForObject(RestTemplate.java:357)
I have imported the certs for the port and host using signer certificate option, but still the issue not resolved (Also tried importing root certs). Can any one let me know what could be the issue?
This looks like the JVM you are using does not trust one of the intermediate certificates, as the error suggests.
You need to retrieve the whole certificate chain, not just the root CA certificate and the certificate of the server. You can use your browser or openssl to retrieve the certificate chain. Your client JVM MUST trust each and every certificate in the certificate chain.
See the following:
https://unix.stackexchange.com/questions/368123/how-to-extract-the-root-ca-and-subordinate-ca-from-a-certificate-chain-in-linux
I am trying to configure the 3node secured Nifi cluster setup by followinng the below Link .
But between nodes the connection not happened after enabled SSL/LDAP and i am getting the below error.
2017-04-01 09:05:47,494 WARN [Clustering Tasks Thread-2] o.apache.nifi.controller.FlowController Failed to send heartbeat due to: org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling 'HEARTBEAT' protocol message due to: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2017-04-01 09:05:47,494 ERROR [Process Cluster Protocol Request-7] o.a.nifi.security.util.CertificateUtils The incoming request did not contain client certificates and thus the DN cannot be extracted. Check that the other endpoint is providing a complete client certificate chain
2017-04-01 09:05:47,494 WARN [Process Cluster Protocol Request-7] o.a.n.c.p.impl.SocketProtocolListener Failed processing protocol message from HKLPATHAS02.hk.example.com due to org.apache.nifi.cluster.protocol.ProtocolException: java.security.cert.CertificateException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
org.apache.nifi.cluster.protocol.ProtocolException: java.security.cert.CertificateException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.getRequestorDN(SocketProtocolListener.java:221) ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(SocketProtocolListener.java:133) ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136) [nifi-socket-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_102]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_102]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_102]
Caused by: java.security.cert.CertificateException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at org.apache.nifi.security.util.CertificateUtils.extractPeerDNFromClientSSLSocket(CertificateUtils.java:306) ~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at org.apache.nifi.security.util.CertificateUtils.extractPeerDNFromSSLSocket(CertificateUtils.java:261) ~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.getRequestorDN(SocketProtocolListener.java:219) ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
... 5 common frames omitted
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431) ~[na:1.8.0_102]
at org.apache.nifi.security.util.CertificateUtils.extractPeerDNFromClientSSLSocket(CertificateUtils.java:291) ~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
... 7 common frames omitted
Please guide me to resolve this thread.
The error is saying that one node in the cluster is attempting to make a heartbeat connection to the other node, but it is not providing a valid client certificate in order to authenticate itself during the TLS handshake negotiation. There are a few possible reasons for this error:
The node is not sending the client certificate. Ensure that nifi.security.needClientAuth=true and nifi.cluster.protocol.is.secure=true are present in your nifi.properties file.
The truststore on the receiving node does not contain the public key certificate of the connecting node. When you followed the instructions from that link, how did you generate the respective certificates? Using the Apache NiFi TLS Toolkit as described by Pierre should ensure that all node certificates are signed by the same CA and that the CA is imported into the common truststore. If you manually generated your certificates, ensure that they are trusted on each node (you can do this with OpenSSL's s_client tool).
I'm getting below error for public stream using Twitter 4j in IBM WAS 6.1.Can you please suggest on this issue .
INFO: com.ibm.jsse2.util.h: No trusted certificate found
com.ibm.jsse2.util.h: No trusted certificate found
Relevant discussions can be found on the Internet at:
http://www.google.co.jp/search?q=944a924a or
http://www.google.co.jp/search?q=24fd66eb
TwitterException{exceptionCode=[944a924a-24fd66eb 944a924a-24fd66c1 944a924a-24fd66c1], statusCode=-1, message=null, code=-1, retryAfter=-1, rateLimitStatus=null, version=3.0.3}
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:192)
at twitter4j.internal.http.HttpClientWrapper.request(HttpClientWrapper.java:61)
at twitter4j.internal.http.HttpClientWrapper.post(HttpClientWrapper.java:98)
at twitter4j.TwitterStreamImpl.getFilterStream(TwitterStreamImpl.java:304)
at twitter4j.TwitterStreamImpl$7.getStream(TwitterStreamImpl.java:292)
at twitter4j.TwitterStreamImpl$TwitterStreamConsumer.run(TwitterStreamImpl.java:462)
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found
at com.ibm.jsse2.n.a(n.java:28)
at com.ibm.jsse2.jc.a(jc.java:235)
at com.ibm.jsse2.db.a(db.java:268)
at com.ibm.jsse2.db.a(db.java:272)
at com.ibm.jsse2.eb.a(eb.java:56)
at com.ibm.jsse2.eb.a(eb.java:122)
at com.ibm.jsse2.db.m(db.java:351)
at com.ibm.jsse2.db.a(db.java:173)
at com.ibm.jsse2.jc.a(jc.java:535)
at com.ibm.jsse2.jc.g(jc.java:203)
at com.ibm.jsse2.jc.a(jc.java:97)
at com.ibm.jsse2.jc.startHandshake(jc.java:44)
at com.ibm.net.ssl.www2.protocol.https.b.afterConnect(b.java:38)
at com.ibm.net.ssl.www2.protocol.https.c.connect(c.java:34)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:866)
at com.ibm.net.ssl.www2.protocol.https.a.getOutputStream(a.java:38)
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:150)
... 5 more
Caused by: com.ibm.jsse2.util.h: No trusted certificate found
at com.ibm.jsse2.util.g.a(g.java:24)
at com.ibm.jsse2.util.g.b(g.java:54)
at com.ibm.jsse2.util.e.a(e.java:9)
at com.ibm.jsse2.yb.checkServerTrusted(yb.java:4)
at com.ibm.jsse2.hb.checkServerTrusted(hb.java:9)
at com.ibm.jsse2.eb.a(eb.java:193)
... 17 more
Jul 3, 2013 10:14:56 AM twitter4j.internal.logging.CommonsLoggingLogger info
INFO: Waiting for 500 milliseconds
Jul 3, 2013 10:14:56 AM twitter4j.internal.logging.CommonsLoggingLogger info
INFO: Establishing connection.
The issue is now resolved by adding SSL certificate in JVM. This page really helped me to understand SSL connection concept in Java.