簽名算法的算法約束檢查失敗：SHA256WithRSAEncryption

Question

有時，當服務器嘗試使用 https 連接其他服務時，我一直注意到以下錯誤。 要采取什么措施來解決這個問題。 有趣的是，它只發生在少數服務器上。

{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    ....
    ....
at com.xyz.rest.XyzService.call(XyzService.java:1239)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
    at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
    at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
    at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
    ... 22 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
    ... 33 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
    at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.prepareNextCertO(Unknown Source)
    at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
    ... 39 more

Answer 1

謝謝大家，但我找到了這個問題的答案。 Had an older version of bouncy castle jar, after upgrading the the jar bcprov-jdk15on-1.58.jar, the "Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption" error is no longer occurring.

Answer 2

請查看受影響服務器中與 TLS 相關的 java 配置，SDK 使用安全屬性jdk.certpath.disabledAlgorithms和jdk.tls.disabledAlgorithm在 TLS 協議協商期間禁用算法，並且可能已禁用SHA256WithRSAEncryption 。

您可以在 Java 安裝的<install_dir>/jre/lib/security/java.security文件中找到這些屬性的值。

請考慮閱讀這篇相關文章，它適用於 IBM SDK 8，但對於其他 SDK 版本和供應商，描述的行為應該相同或非常相似。

此外，在受影響的服務器中運行程序時，請考慮啟用值為certpath或all的java.security.debug環境屬性：

-Djava.security.debug=certpath

它將為您提供有關正在發生的事情以及 Java 抱怨該算法的原因的指導和有價值的信息。

簽名算法的算法約束檢查失敗：SHA256WithRSAEncryption

問題描述

2 個解決方案

解決方案1
1 已采納 2021-02-17 16:35:26

解決方案2
0 2021-02-13 22:35:07

簽名算法的算法約束檢查失敗：SHA256WithRSAEncryption

問題描述

2 個解決方案

解決方案1 1 已采納 2021-02-17 16:35:26

解決方案2 0 2021-02-13 22:35:07

解決方案1
1 已采納 2021-02-17 16:35:26

解決方案2
0 2021-02-13 22:35:07