javax.net.ssl.SSLHandshakeException:java.security.cert.CertificateException:证书不符合算法约束

我们有一个单向ssl HTTPS服务器，它向客户端发送CA证书。当客户端将请求发送到服务器时，我们将得到一个javax.net.ssl.SSLHandshakeException

当客户端向https服务器发送请求时，服务器将抛出sslhandshake异常，如下所示。我们试图编辑java安全文件，但似乎不起作用

2016/08/31-12:19:18.231919-16953-17284-0x018c510000000001-002- |NF javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
2016/08/31-12:19:18.231919-16953-17284-0x018c510000000001-002-  at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
2016/08/31-12:19:18.231919-16953-17284-0x018c510000000001-002-  at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
2016/08/31-12:19:18.231919-16953-17284-0x018c510000000001-002-  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
2016/08/31-12:19:18.231919-16953-17284-0x018c510000000001-002-  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
2016/08/31-12:19:18.231919-16953-17284-0x018c510000000001-002-  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
2016/08/31-12:19:18.231919-16953-17284-0x018c510000000001-002-  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
2016/08/31-12:19:18.231919-16953-17284-0x018c510000000001-002-  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
2016/08/31-12:19:18.231919-16953-17284-0x018c510000000001-002-  at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
2016/08/31-12:19:18.231919-16953-17284-0x018c510000000001-002-  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)


Client and Server connection is established.

root@myhostname> wget --no-check-certificate https://myserver:4443/zen_myevent_listener/eventListener/p1
--2016-09-01 05:09:44--  https://myserver/zen_myevent_listener/eventListener/p1
Connecting to 10.255.120.133:4443... connected.

其算法如下图所示：

这些是我们在HTTPS服务器上生成的证书

-rw-------. 1 root root     3967 Aug 26 15:07 01.pem
-rw-------. 1 root root     1659 Aug 26 15:06 ca.crt
-rw-------. 1 root root     1751 Aug 26 15:05 ca.key
-rw-------. 1 root root      112 Aug 26 15:07 index.txt
-rw-------. 1 root root       21 Aug 26 15:07 index.txt.attr
-rw-------. 1 root root        0 Aug 26 15:05 index.txt.old
-rw-------. 1 root root 42542116 Aug 31 09:48 log.txt
-rwxrwxrwx. 1 root root     8805 Aug 26 12:51 openssl.cnf
-rw-------. 1 root root        3 Aug 26 15:07 serial
-rw-------. 1 root root        3 Aug 26 15:04 serial.old
-rw-------. 1 root root     5626 Aug 26 15:07 server-chain.crt
-rw-------. 1 root root     3967 Aug 26 15:07 server.crt
-rw-------. 1 root root      806 Aug 26 15:06 server.csr
-rw-------. 1 root root      887 Aug 26 15:06 server.key

并且01.pem/01.der文件放置在客户端

当我们搜索并检查时，我们得到了下面的修复/解决方案。即使尝试了这个，我们仍然会得到相同的错误

原因有两方面：

• Sentinel 7.1 SP1或更高版本附带了一个更新的Java版本，该版本有一个限制，不允许RSA密钥大小小于1024
• 日志应用程序中使用的默认证书的密钥大小小于1024，并且不符合此限制。因此，服务器拒绝连接，并显示上面显示的错误消息

让系统正常工作的最快方法是恢复此状态 改变编辑文件jre/lib/security/java.security并查找 行：

重新启动Sentinel以使更改生效

这不是一个解决方案，而是一个在升级后让事情正常工作的变通方法

正确的解决方案是在使用强加密（密钥大小为1024或更多）的日志应用程序上使用自定义证书。 更新所有应用程序后，可以设置限制 回到原位

IDM4.5包括一个检测升级，证书的密钥大小大于1024，以解决此问题

eDirectory 88SP8修补程序2和eDirectory 88SP7修补程序6已完成 使用大于的密钥大小的证书进行检测升级 1024来解决这个问题。（注意：仪器不是自动安装的。） 使用eDirectory升级后，还必须手动安装 eDir修补程序中的检测包。）

即使尝试了这个，我们仍然会得到相同的错误。有人能帮我们处理这件事吗

下面是server.crt中的opensslx509-text-in的输出

root@rover> openssl x509 -text -in server.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: C=IN, ST=Karnataka, L=Bangalore, O=mycompany, OU=abc, CN=rover/emailAddress=myemail@gmail.com
        Validity
            Not Before: Aug 26 09:37:05 2016 GMT
            Not After : Dec  9 09:37:05 2019 GMT
        Subject: C=IN, ST=Karnataka, O=mycompany, OU=IMS, CN=rover/emailAddress=myemail@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a4:51:0e:c5:7e:eb:e9:8e:89:9c:79:6a:b5:94:
                    d3:94:53:43:b2:26:47:a5:13:25:87:a3:73:03:27:
                    4f:f8:b2:60:86:00:b3:c7:8a:d4:bd:3c:70:33:1e:
                    16:4b:0a:e7:a7:50:a6:48:0e:33:cf:6e:72:30:13:
                    c0:bd:1a:b3:57:ec:ec:bd:6b:90:84:f4:79:a9:29:
                    48:50:7d:e0:07:22:c5:cc:b1:81:4d:8d:61:f5:c6:
                    58:87:73:e0:1b:b9:a1:fc:a0:1a:42:79:96:f6:11:
                    cf:0a:60:fe:26:d4:e3:a6:b8:ca:8d:2c:48:b1:41:
                    5e:f8:64:a6:2f:02:e5:5b:8f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:C5:05:6A:D7:1B:9A:E1:B6:A5:A2:2F:70:2B:13:C6:C2:74:DA:70:45
                DirName:/C=IN/ST=Karnataka/L=Bangalore/O=mycompany/OU=IMS/CN=rover/emailAddress=myemail@gmail.com
                serial:B0:C5:54:AC:F8:78:7B:5F

    Signature Algorithm: md5WithRSAEncryption
         36:ae:d7:aa:c2:ce:20:91:c9:57:77:e7:4b:c5:e1:b5:28:5d:
         4b:85:db:03:90:67:4e:f9:7d:b1:35:8c:de:80:6d:bf:f5:d0:
         c9:1b:10:8a:c2:de:5e:88:d6:f6:0d:fc:05:92:f0:88:81:98:
         8c:c9:a4:57:1b:70:7d:8d:dc:90:c9:cd:e3:77:1f:81:f0:63:
         39:42:14:ff:d6:46:cb:f9:84:2c:8d:cc:1e:b5:b9:6a:12:2a:
         c4:d4:5c:fa:79:a6:ea:a8:9b:53:65:54:c9:68:a4:d8:63:0f:
         64:a5:35:88:6d:9f:3b:bf:dd:ec:5f:69:95:a2:17:94:97:c9:
         26:89:d2:1b:12:2f:39:35:1f:aa:41:d0:23:2f:0e:c8:83:02:
         9d:70:46:ff:23:3d:5b:46:58:fa:ff:1c:3f:d1:9b:78:21:b9:
         cf:ae:b5:3c:64:12:70:92:71:0f:9f:b0:f9:54:6a:e7:51:41:
         b0:66:2f:0a:57:a1:a7:e6:f8:e0:7b:46:7d:e5:66:b7:f7:e9:
         d4:23:16:89:b0:bc:8e:c5:e6:b9:69:a1:bc:2b:98:08:fc:10:
         9c:9e:71:a8:b6:c1:fa:9a:71:5a:79:9d:07:cb:73:d4:e7:5a:
         01:16:76:38:6e:29:8b:6a:12:72:e9:ac:36:54:a2:9f:75:ef:
         3b:6e:c6:e0
-----BEGIN CERTIFICATE-----
MIID2DCCAsCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBjzELMAkGA1UEBhMCSU4x
EjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQ4wDAYDVQQK
EwVOb2tpYTEMMAoGA1UECxMDSU1TMQ8wDQYDVQQDEwZtYXJzMDQxKTAnBgkqhkiG
9w0BCQEWGmtpc2hvcmUudmVybmVrYXJAbm9raWEuY29tMB4XDTE2MDgyNjA5Mzcw
NVoXDTE5MTIwOTA5MzcwNVowezELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5h
dGFrYTEOMAwGA1UEChMFTm9raWExDDAKBgNVBAsTA0lNUzEPMA0GA1UEAxMGbWFy
czA0MSkwJwYJKoZIhvcNAQkBFhpraXNob3JlLnZlcm5la2FyQG5va2lhLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApFEOxX7r6Y6JnHlqtZTTlFNDsiZH
pRMlh6NzAydP+LJghgCzx4rUvTxwMx4WSwrnp1CmSA4zz25yMBPAvRqzV+zsvWuQ
hPR5qSlIUH3gByLFzLGBTY1h9cZYh3PgG7mh/KAaQnmW9hHPCmD+JtTjprjKjSxI
sUFe+GSmLwLlW48CAwEAAaOB1TCB0jAJBgNVHRMEAjAAMIHEBgNVHSMEgbwwgbmA
FMUFatcbmuG2paIvcCsTxsJ02nBFoYGVpIGSMIGPMQswCQYDVQQGEwJJTjESMBAG
A1UECBMJS2FybmF0YWthMRIwEAYDVQQHEwlCYW5nYWxvcmUxDjAMBgNVBAoTBU5v
a2lhMQwwCgYDVQQLEwNJTVMxDzANBgNVBAMTBm1hcnMwNDEpMCcGCSqGSIb3DQEJ
ARYaa2lzaG9yZS52ZXJuZWthckBub2tpYS5jb22CCQCwxVSs+Hh7XzANBgkqhkiG
9w0BAQQFAAOCAQEANq7XqsLOIJHJV3fnS8XhtShdS4XbA5BnTvl9sTWM3oBtv/XQ
yRsQisLeXojW9g38BZLwiIGYjMmkVxtwfY3ckMnN43cfgfBjOUIU/9ZGy/mELI3M
HrW5ahIqxNRc+nmm6qibU2VUyWik2GMPZKU1iG2fO7/d7F9plaIXlJfJJonSGxIv
OTUfqkHQIy8OyIMCnXBG/yM9W0ZY+v8cP9GbeCG5z661PGQScJJxD5+w+VRq51FB
sGYvClehp+b44HtGfeVmt/fp1CMWibC8jsXmuWmhvCuYCPwQnJ5xqLbB+ppxWnmd
B8tz1OdaARZ2OG4pi2oScumsNlSin3XvO27G4A==
-----END CERTIFICATE-----

这很糟糕。MD5 as签名算法多年来一直被破坏，这种破坏性在几年前就已经成功地用于重大攻击（Stuxnet）。我的猜测是Java对此表示不满

---

由于证书显然是最近才创建的，所以有人把证书的创建搞得一团糟。不要试图解决这个问题，而是创建适当的证书，即使用适当的签名算法（SHA-256而不是MD5）和适当的密钥大小（2048而不是1024）。

问题在于证书，但图像没有显示证书。例如，对您在服务器中使用的证书执行

openssl x509-text-in server.pem

，并将输出添加到您的问题中。这可能是问题所在：

md5withrsaecryption

。另见。

jdk.certpath.disabledAlgorithms=MD2

root@rover> openssl x509 -text -in server.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: C=IN, ST=Karnataka, L=Bangalore, O=mycompany, OU=abc, CN=rover/emailAddress=myemail@gmail.com
        Validity
            Not Before: Aug 26 09:37:05 2016 GMT
            Not After : Dec  9 09:37:05 2019 GMT
        Subject: C=IN, ST=Karnataka, O=mycompany, OU=IMS, CN=rover/emailAddress=myemail@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a4:51:0e:c5:7e:eb:e9:8e:89:9c:79:6a:b5:94:
                    d3:94:53:43:b2:26:47:a5:13:25:87:a3:73:03:27:
                    4f:f8:b2:60:86:00:b3:c7:8a:d4:bd:3c:70:33:1e:
                    16:4b:0a:e7:a7:50:a6:48:0e:33:cf:6e:72:30:13:
                    c0:bd:1a:b3:57:ec:ec:bd:6b:90:84:f4:79:a9:29:
                    48:50:7d:e0:07:22:c5:cc:b1:81:4d:8d:61:f5:c6:
                    58:87:73:e0:1b:b9:a1:fc:a0:1a:42:79:96:f6:11:
                    cf:0a:60:fe:26:d4:e3:a6:b8:ca:8d:2c:48:b1:41:
                    5e:f8:64:a6:2f:02:e5:5b:8f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:C5:05:6A:D7:1B:9A:E1:B6:A5:A2:2F:70:2B:13:C6:C2:74:DA:70:45
                DirName:/C=IN/ST=Karnataka/L=Bangalore/O=mycompany/OU=IMS/CN=rover/emailAddress=myemail@gmail.com
                serial:B0:C5:54:AC:F8:78:7B:5F

    Signature Algorithm: md5WithRSAEncryption
         36:ae:d7:aa:c2:ce:20:91:c9:57:77:e7:4b:c5:e1:b5:28:5d:
         4b:85:db:03:90:67:4e:f9:7d:b1:35:8c:de:80:6d:bf:f5:d0:
         c9:1b:10:8a:c2:de:5e:88:d6:f6:0d:fc:05:92:f0:88:81:98:
         8c:c9:a4:57:1b:70:7d:8d:dc:90:c9:cd:e3:77:1f:81:f0:63:
         39:42:14:ff:d6:46:cb:f9:84:2c:8d:cc:1e:b5:b9:6a:12:2a:
         c4:d4:5c:fa:79:a6:ea:a8:9b:53:65:54:c9:68:a4:d8:63:0f:
         64:a5:35:88:6d:9f:3b:bf:dd:ec:5f:69:95:a2:17:94:97:c9:
         26:89:d2:1b:12:2f:39:35:1f:aa:41:d0:23:2f:0e:c8:83:02:
         9d:70:46:ff:23:3d:5b:46:58:fa:ff:1c:3f:d1:9b:78:21:b9:
         cf:ae:b5:3c:64:12:70:92:71:0f:9f:b0:f9:54:6a:e7:51:41:
         b0:66:2f:0a:57:a1:a7:e6:f8:e0:7b:46:7d:e5:66:b7:f7:e9:
         d4:23:16:89:b0:bc:8e:c5:e6:b9:69:a1:bc:2b:98:08:fc:10:
         9c:9e:71:a8:b6:c1:fa:9a:71:5a:79:9d:07:cb:73:d4:e7:5a:
         01:16:76:38:6e:29:8b:6a:12:72:e9:ac:36:54:a2:9f:75:ef:
         3b:6e:c6:e0
-----BEGIN CERTIFICATE-----
MIID2DCCAsCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBjzELMAkGA1UEBhMCSU4x
EjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQ4wDAYDVQQK
EwVOb2tpYTEMMAoGA1UECxMDSU1TMQ8wDQYDVQQDEwZtYXJzMDQxKTAnBgkqhkiG
9w0BCQEWGmtpc2hvcmUudmVybmVrYXJAbm9raWEuY29tMB4XDTE2MDgyNjA5Mzcw
NVoXDTE5MTIwOTA5MzcwNVowezELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5h
dGFrYTEOMAwGA1UEChMFTm9raWExDDAKBgNVBAsTA0lNUzEPMA0GA1UEAxMGbWFy
czA0MSkwJwYJKoZIhvcNAQkBFhpraXNob3JlLnZlcm5la2FyQG5va2lhLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApFEOxX7r6Y6JnHlqtZTTlFNDsiZH
pRMlh6NzAydP+LJghgCzx4rUvTxwMx4WSwrnp1CmSA4zz25yMBPAvRqzV+zsvWuQ
hPR5qSlIUH3gByLFzLGBTY1h9cZYh3PgG7mh/KAaQnmW9hHPCmD+JtTjprjKjSxI
sUFe+GSmLwLlW48CAwEAAaOB1TCB0jAJBgNVHRMEAjAAMIHEBgNVHSMEgbwwgbmA
FMUFatcbmuG2paIvcCsTxsJ02nBFoYGVpIGSMIGPMQswCQYDVQQGEwJJTjESMBAG
A1UECBMJS2FybmF0YWthMRIwEAYDVQQHEwlCYW5nYWxvcmUxDjAMBgNVBAoTBU5v
a2lhMQwwCgYDVQQLEwNJTVMxDzANBgNVBAMTBm1hcnMwNDEpMCcGCSqGSIb3DQEJ
ARYaa2lzaG9yZS52ZXJuZWthckBub2tpYS5jb22CCQCwxVSs+Hh7XzANBgkqhkiG
9w0BAQQFAAOCAQEANq7XqsLOIJHJV3fnS8XhtShdS4XbA5BnTvl9sTWM3oBtv/XQ
yRsQisLeXojW9g38BZLwiIGYjMmkVxtwfY3ckMnN43cfgfBjOUIU/9ZGy/mELI3M
HrW5ahIqxNRc+nmm6qibU2VUyWik2GMPZKU1iG2fO7/d7F9plaIXlJfJJonSGxIv
OTUfqkHQIy8OyIMCnXBG/yM9W0ZY+v8cP9GbeCG5z661PGQScJJxD5+w+VRq51FB
sGYvClehp+b44HtGfeVmt/fp1CMWibC8jsXmuWmhvCuYCPwQnJ5xqLbB+ppxWnmd
B8tz1OdaARZ2OG4pi2oScumsNlSin3XvO27G4A==
-----END CERTIFICATE-----

java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
...
Signature Algorithm: md5WithRSAEncryption