SSL握手exception:“算法约束检查失败:MD5withRSA”
我尝试安装Oracle Entitlements Server Client。 我打电话的时候
config.cmd -smConfigId Sample-SM -prpFileName C:\oracle\product\11.1.2\as_1\oessm\SMConfigTool\smconfig.java.controlled.prp 我有这个例外:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) at java.io.OutputStream.write(OutputStream.java:75) at oracle.security.oes.enroll.EnrollmentClient.writeToSocket(EnrollmentClient.java:330) at oracle.security.oes.enroll.EnrollmentClient.enroll(EnrollmentClient.java:161) at oracle.security.oes.enroll.EnrollmentClient.main(EnrollmentClient.java:478) at oracle.security.oes.tools.EnrollmentTool.doEnroll(EnrollmentTool.java:103) at oracle.security.oes.tools.SMConfigTool.doEnrollment(SMConfigTool.java:1192) at oracle.security.oes.tools.SMConfigTool.run(SMConfigTool.java:617) at oracle.security.oes.tools.SMConfigTool.main(SMConfigTool.java:546) Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:260) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) ... 15 more Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159) at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351) at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191) at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279) at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) ... 21 more sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA
你能帮我找个理由吗?
问题是由Oracle禁用不再被认为是安全的哈希算法引起的。 看一眼
JRE_HOME/lib/security/java.security
它包含以下属性:
jdk.certpath.disabledAlgorithms jdk.tls.disabledAlgorithms
你可以适当调整它们。 例如,从前者移除MD5 ,从后者移除MD5withRSA 。
keyser在评论中给出了回答的方向。
问题是关键的长度。 简而言之: “从7u40开始,使用长度小于1024位的RSA密钥的x.509证书将受到限制。”
因此,解决此问题的正确方法是使用密钥长度至少为2048位的证书。