OpenJDK:javax.net.ssl.SSLHandshakeException:java.security.cert.CertificateException:证书不符合算法约束

时间:2017-03-28 08:48:04

标签: algorithm ssl certificate jetty openjdk

jetty 中的 OpenJDK1.8.0 的网络服务尝试建立与Microsoft服务器的HTTPS连接,我收到此错误:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
......

信任Microsoft服务器的证书看起来很好:

  • 公钥: RSA(2048位)
  • 签名算法: sha256RSA

  • 签名哈希算法: sha256 没有algorathm匹配jre_path/lib/security/java.security disableAlgorithm

    jdk.certpath.disabledAlgorithms = MD2,MD5,RSA keySize< 1024 jdk.tls.disabledAlgorithms = SSLv3,RC4,MD5withRSA,DH keySize< 768

我检查了Jetty和Microsoft的TLS Cipher Suite支持,一切都很好看:

  • TLS1_1: ECDHE-RSA-AES256-SHA
  • TLS1_2: ECDHE-RSA-AES256-SHA384
  • TLS1: ECDHE-RSA-AES256-SHA

我的问题:

  1. 导致“证书不符合算法约束”的原因是什么?
  2. 据我所知,OpenJDK支持无限强度加密,无需额外的策略文件。我省略了什么?

    3. 谢谢!

1 个答案:

答案 0 :(得分:0)

由于Windows服务器中使用的证书中的签名算法引起了未来 TLSv1.3 标准的算法,所以OpenJDK抛出此异常。

相关问题
最新问题