问题描述
限时送ChatGPT账号..我有一个地图应用程序,可以添加给定 URL 的 ArcGIS 9.3+ 底图.我想添加的 URL 之一来自客户的 URL,并且是安全的.我的地图应用程序之前使用的是 Java 6,并且能够毫无问题地添加安全 URL.我现在升级到 Java 7 并且得到一个
I have a mapping application that can add ArcGIS 9.3+ base maps given a URL. One of the URLs that I would like to add is from a customer's URL and is secured. My mapping application was using Java 6 before and was able to add the secure URL with no issues. I now upgraded to Java 7 and am getting a
"java.security.cert.CertificateException: Certificates does not conform to algorithm constraints"
例外.起初,我认为情况确实如此,因为在 Java 7 中,默认情况下,用于签署 SSL 证书的 MD2 算法是禁用的.您可以在 java.security 文件中看到这一点:
exception. At first, I believe this to be the case because in Java 7, by default, the MD2 algorithm to sign SSL certificates is disabled. You can see this in the java.security file:
"jdk.certpath.disabledAlgorithms=MD2"
但是当我检查该 URL 的 Certification Signature Algorithm 时,它显示 SHA-1.更奇怪的是,如果我注释掉 java.security 文件中的 "jdk.certpath.disabledAlgorithms=MD2" 行,URL 将正常工作.MD2 在 SSL 过程中是否在其他地方使用?我在这里遗漏了什么吗?
But when I check the Certification Signature Algorithm of that URL, it says SHA-1. What is even more strange is if I comment out the "jdk.certpath.disabledAlgorithms=MD2" line in the java.security file, the URL will work with no issues. Is MD2 used somewhere else during the SSL process? Am I missing something here?
推荐答案
背景
MD2 被广泛认为是不安全的,因此在 JDK 6u17 版本的 Java 中被禁用(请参阅发行说明 http://www.oracle/technetwork/java/javase/6u17-141447.html,在证书链验证中禁用 MD2"),以及 JDK 7,如根据您在 java.security 中指出的配置.
Background
MD2 was widely recognized as insecure and thus disabled in Java in version JDK 6u17 (see release notes http://www.oracle/technetwork/java/javase/6u17-141447.html, "Disable MD2 in certificate chain validation"), as well as JDK 7, as per the configuration you pointed out in java.security.
Verisign 使用带有 md2WithRSAEncryption 签名算法的 3 类根证书(串行 70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf),但不推荐使用它并用另一个具有相同密钥和名称的证书替换它,但使用算法 sha1WithRSAEncryption 签名.但是,某些服务器在 SSL 握手期间仍然发送旧的 MD2 签名证书(具有讽刺意味的是,我在使用 Verisign 运行的服务器时遇到了这个问题!).
Verisign was using a Class 3 root certificate with the md2WithRSAEncryption signature algorithm (serial 70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf), but deprecated it and replaced it with another certificate with the same key and name, but signed with algorithm sha1WithRSAEncryption. However, some servers are still sending the old MD2 signed certificate during the SSL handshake (ironically, I ran into this problem with a server run by Verisign!).
您可以通过获取来自服务器的证书链并检查它:
openssl s_client -showcerts -connect
JDK 的最新版本(例如 6u21 和 7 的所有已发布版本)应该 解决 通过自动删除与可信锚点(默认在 cacerts 中)具有相同颁发者和公钥的证书来解决此问题.
Recent versions of the JDK (e.g. 6u21 and all released versions of 7) should resolve this issue by automatically removing certs with the same issuer and public key as a trusted anchor (in cacerts by default).
检查您是否有自定义信任管理器实现旧的 X509TrustManager 接口.JDK 7+ 应该与此接口兼容,但是根据我的调查,当信任管理器实现 X509TrustManager 而不是较新的 X509ExtendedTrustManager (docs),JDK 使用自己的包装器(AbstractTrustManagerWrapper) 并以某种方式绕过此问题的内部修复.
Check if you have a custom trust manager implementing the older X509TrustManager interface. JDK 7+ is supposed to be compatible with this interface, however based on my investigation when the trust manager implements X509TrustManager rather than the newer X509ExtendedTrustManager (docs), the JDK uses its own wrapper (AbstractTrustManagerWrapper) and somehow bypasses the internal fix for this issue.
解决办法是:
使用默认的信任管理器,或
use the default trust manager, or
修改您的自定义信任管理器以直接扩展 X509ExtendedTrustManager(一个简单的更改).
modify your custom trust manager to extend X509ExtendedTrustManager directly (a simple change).
这篇关于java.security.cert.CertificateException:证书不符合算法约束的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
更多推荐
[db:关键词]
发布评论