Java TLS Handshake fails with "Algorithm constraints check failed on signature algorithm: SHA1withRSA" when using DEFAULT crypto policy in RHEL 9
Issue
-
Handshake fails:
ERROR [stderr] "ClientHello": { ERROR [stderr] "client version" : "TLSv1.2", ... ERROR [stderr] "cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), ... ERROR [stderr] "server_name (0)": { ERROR [stderr] type=host_name (0), value=myhost ERROR [stderr] }, ... ERROR [stderr] "versions": [TLSv1.3, TLSv1.2] ... ERROR [stderr] "ServerHello": { ERROR [stderr] "server version" : "TLSv1.2", ... ERROR [stderr] "cipher suite" : "TLS_AES_256_GCM_SHA384(0x1302)", ... ERROR [stderr] "selected version": [TLSv1.3] ERROR [stderr] }, ... ERROR [stderr] "certificate" : { ... ERROR [stderr] "signature algorithm": "SHA256withRSA", ERROR [stderr] "issuer" : "CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US", ERROR [stderr] "subject" : "CN=myhost", ERROR [stderr] "subject public key" : "RSA", ... ERROR [stderr] "certificate" : { ERROR [stderr] "signature algorithm": "SHA256withRSA", ERROR [stderr] "issuer" : "CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US", ... ERROR [stderr] "subject" : "CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US", ERROR [stderr] "subject public key" : "RSA", ... ERROR [stderr] { ERROR [stderr] "certificate" : { ... ERROR [stderr] "signature algorithm": "SHA256withRSA", ERROR [stderr] "issuer" : "OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US", ... ERROR [stderr] "subject" : "CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US", ERROR [stderr] "subject public key" : "RSA", ... ERROR [stderr] { ERROR [stderr] "certificate" : { ... ERROR [stderr] "signature algorithm": "SHA1withRSA", ERROR [stderr] "issuer" : "OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US", ... ERROR [stderr] "subject" : "OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US", ERROR [stderr] "subject public key" : "RSA", ... ERROR [stderr] javax.net.ssl|ERROR|TransportContext.java:345|Fatal (CERTIFICATE_UNKNOWN): Certificates do not conform to algorithm constraints ( ERROR [stderr] "throwable" : { ERROR [stderr] java.security.cert.CertificateException: Certificates do not conform to algorithm constraints ERROR [stderr] at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1681) ERROR [stderr] at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1606) ERROR [stderr] at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1550) ERROR [stderr] at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341) ERROR [stderr] at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ERROR [stderr] at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ERROR [stderr] at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ERROR [stderr] at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ... ERROR [stderr] Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA ERROR [stderr] at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237) ERROR [stderr] at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1677) ERROR [stderr] ... 81 more} ...
Environment
- OpenJDK
- Red Hat Enterprise Linux (RHEL) or Container
- 9
- TLS network connections
- Certificate Authority using SHA1 with RSA signatures
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.