3

For sometime I am noticing following error consistently, when servers are trying to connect other services using https. What action is to be taken to resolve this. Interestingly, it is happening only on few servers.

{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    ....
    ....
at com.xyz.rest.XyzService.call(XyzService.java:1239)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
    at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
    at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
    at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
    ... 22 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
    ... 33 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
    at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.prepareNextCertO(Unknown Source)
    at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
    ... 39 more
YS_NE
  • 194
  • 2
  • 21
  • 1
    is those failed servers' clock on time? – aran Jan 10 '21 at 22:43
  • @aran - Yes clock wise those are all set correctly. Any hint on when does this error occurs? – YS_NE Jan 11 '21 at 01:34
  • My only guess was ntp sync failing, I can't really think of alternatives...did you try reinstalling the jre entirely, setting again all the cert settings on those servers? Could you virtualize the good ones and replace the failed servers with the good clones? – aran Jan 11 '21 at 21:39

2 Answers2

1

Thanks all, but I found the answer to this problem. Had an older version of bouncy castle jar, after upgrading the the jar bcprov-jdk15on-1.58.jar, the "Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption" error is no longer occurring.

YS_NE
  • 194
  • 2
  • 21
0

Please, review the java configuration related to TLS in the affected servers, the SDK uses the security properties jdk.certpath.disabledAlgorithms and jdk.tls.disabledAlgorithm to disable algorithms during TLS protocol negotiation, and maybe SHA256WithRSAEncryption has been disabled.

You can find the value of these properties in the <install_dir>/jre/lib/security/java.security file of your Java installation.

Please, consider read this related article, it is for IBM SDK 8, but the behavior described should be the same or very similar for other SDK versions and vendors.

Also, consider to enable the java.security.debug environment property with a value of certpath or all when running your program in the affected servers:

-Djava.security.debug=certpath

It will provide you guidance and valuable information about what is going on and why Java is complaining about the algorithm.

jccampanero
  • 50,989
  • 3
  • 20
  • 49
  • 1
    No. SHA256WithRSAEncryption algorithm is not disabled in java.security. More and more urls are getting this error "CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption". whats going on? – YS_NE Feb 15 '21 at 19:53
  • I am sorry to hear that it was not the problem. Were you are to enable SSL debugging on your program? Any findings? Please, what Java version are your failing server running? It is not very likely, but as suggested in [this](https://stackoverflow.com/questions/21218217/ssl-handshake-exception-algorithm-constraints-check-failed-md5withrsa) SO question as well, perhaps some servers are using a more permissive JDK version than the ones that are failing regarding key size. See next comment – jccampanero Feb 16 '21 at 09:13
  • In addition, also pay attention to the cipher suites used by the remote service, maybe some of them, recent GCM for instance, are not supported by all SDK versions. Consider for example [this SDK enhancement](https://bugs.openjdk.java.net/browse/JDK-8180834) that you can find in the [security-libs](https://bugs.openjdk.java.net/issues/?jql=project+%3D+JDK+AND+component+%3D+security-libs) related work, available only from JDK 7u191 onwards. All the proposed solutions are quite dated but I hope any of this was helpful. – jccampanero Feb 16 '21 at 09:16
  • It probably is out of jdk, as I have checked into jdk versions. All VMs have same jdk version and tomcat version. Could the application code itself be culprit. Because we do that we experience this problem on our product upgrade. But nothing seem changed in terms of http library or any ssl infrastructure code. – YS_NE Feb 16 '21 at 13:18
  • it is very difficult to say without seeing your actual code, but if you faced the issue after a product upgrade it is possible that the problem was related with the code. In any way, please, be aware that the problem has to do with the SSL handshake, so pay attention on that. For instance, are you performing mutual authentication? It can be a problem with your server certificates if that it is case. It would be great it you can provide more context in your question. – jccampanero Feb 16 '21 at 13:29