0

On Jmeter, I'm trying to hit an API with https protocol, and encountering the infamous SSLHandshakeException.

Response code:Non HTTP response code: javax.net.ssl.SSLHandshakeException javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints... Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: RSASSA-PSS

Using Java (32 bit) jre 1.8, Jmeter 5.3 on Win7 Enterprise edition.

Server Certificate details: Version: V3 Signature Algorithm: RSASSA-PSS

From other questions on Stackoverflow, tried these but didn't help:

  1. Commented out jdk.certpath.disabledAlgorithms and jdk.tls.disabledAlgorithms in java.security file.
  2. Have imported the certificate from the server to Java keystore.
Learner4life
  • 3
  • 2
  • Java (1.)8 below 8u251 doesn't support RSAPSS at all; 8u251 does support it as a _Signature_ but not in TLS because it only supports up to TLS 1.2, which does not have any sigalg value to allow RSAPSS. Effectively dupe https://stackoverflow.com/questions/61676711/how-to-add-signature-algorithm-from-one-provider-to-another-provider-used-during . – dave_thompson_085 Jul 02 '20 at 04:04
  • @dave_thompson_085 Thanks a ton! I upgraded to JDK 11 and the problem disappeared. Why is it that with Java 6, and exactly the same cert, I did not have this exception? – Learner4life Jul 02 '20 at 06:19
  • Java 6 and lower only implemented TLS1.0 and SSL3 which don't have the sigalgs extension that makes clear the need for constraint logic. In principle rfc2246 set fixed constraints on the certs but in ~2005 when j6 was designed nobody anywhere was using PSS certs or signatures -- the _spec_ for them (PKCS1v2.1) had only been issued in 2002/3. – dave_thompson_085 Jul 02 '20 at 13:26
  • Now I understand how it worked with Java 6. Thanks for all the details. Appreciate it. – Learner4life Jul 03 '20 at 05:11
  • Update: also **Java 8u261** now implements TLS1.3 (including PSS) _and_ PSS signatures in 1.2, per 8446 4.2.3 – dave_thompson_085 Aug 11 '20 at 03:29
  • That's great to know! Thank you. – Learner4life Aug 11 '20 at 03:40

0 Answers0