签名算法的算法约束检查失败:SHA256WithRSAEncryption
[英]Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
问题描述
For sometime I am noticing following error consistently, when servers are trying to connect other services using https.
有时,当服务器尝试使用 https 连接其他服务时,我一直注意到以下错误。 What action is to be taken to resolve this.要采取什么措施来解决这个问题。 Interestingly, it is happening only on few servers.有趣的是,它只发生在少数服务器上。
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
....
....
at com.xyz.rest.XyzService.call(XyzService.java:1239)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
... 22 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 33 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.prepareNextCertO(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
... 39 more
2 个解决方案
解决方案1
1 已采纳 2021-02-17 16:35:26
Thanks all, but I found the answer to this problem.谢谢大家,但我找到了这个问题的答案。 Had an older version of bouncy castle jar, after upgrading the the jar bcprov-jdk15on-1.58.jar, the "Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption" error is no longer occurring. Had an older version of bouncy castle jar, after upgrading the the jar bcprov-jdk15on-1.58.jar, the "Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption" error is no longer occurring.
解决方案2
0 2021-02-13 22:35:07
Please, review the java configuration related to TLS in the affected servers, the SDK uses the security properties jdk.certpath.disabledAlgorithms and jdk.tls.disabledAlgorithm to disable algorithms during TLS protocol negotiation, and maybe SHA256WithRSAEncryption has been disabled.请查看受影响服务器中与 TLS 相关的 java 配置,SDK 使用安全属性jdk.certpath.disabledAlgorithms和jdk.tls.disabledAlgorithm在 TLS 协议协商期间禁用算法,并且可能已禁用SHA256WithRSAEncryption 。
You can find the value of these properties in the <install_dir>/jre/lib/security/java.security file of your Java installation.您可以在 Java 安装的<install_dir>/jre/lib/security/java.security文件中找到这些属性的值。
Please, consider read this related article, it is for IBM SDK 8, but the behavior described should be the same or very similar for other SDK versions and vendors.请考虑阅读这篇相关文章,它适用于 IBM SDK 8,但对于其他 SDK 版本和供应商,描述的行为应该相同或非常相似。
Also, consider to enable the java.security.debug environment property with a value of certpath or all when running your program in the affected servers:此外,在受影响的服务器中运行程序时,请考虑启用值为certpath或all的java.security.debug环境属性:
-Djava.security.debug=certpath
It will provide you guidance and valuable information about what is going on and why Java is complaining about the algorithm.它将为您提供有关正在发生的事情以及 Java 抱怨该算法的原因的指导和有价值的信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.