Java TLS Handshake fails with "Algorithm constraints check failed on signature algorithm: SHA1withRSA" when using DEFAULT crypto policy in RHEL 9

Solution Verified - Updated -

Issue

  • Handshake fails:

    ERROR [stderr]  "ClientHello": {
ERROR [stderr]    "client version"      : "TLSv1.2",
...
ERROR [stderr]    "cipher suites"       : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),
...
ERROR [stderr]      "server_name (0)": {
ERROR [stderr]        type=host_name (0), value=myhost
ERROR [stderr]      },
...
ERROR [stderr]        "versions": [TLSv1.3, TLSv1.2]
...
ERROR [stderr]  "ServerHello": {
ERROR [stderr]    "server version"      : "TLSv1.2",
...
ERROR [stderr]    "cipher suite"        : "TLS_AES_256_GCM_SHA384(0x1302)",
...
ERROR [stderr]        "selected version": [TLSv1.3]
ERROR [stderr]      },
...
ERROR [stderr]      "certificate" : {
...
ERROR [stderr]        "signature algorithm": "SHA256withRSA",
ERROR [stderr]        "issuer"             : "CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US",
ERROR [stderr]        "subject"            : "CN=myhost",
ERROR [stderr]        "subject public key" : "RSA",
...
ERROR [stderr]      "certificate" : {
ERROR [stderr]        "signature algorithm": "SHA256withRSA",
ERROR [stderr]        "issuer"             : "CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US",
...
ERROR [stderr]        "subject"            : "CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US",
ERROR [stderr]        "subject public key" : "RSA",
...
ERROR [stderr]    {
ERROR [stderr]      "certificate" : {
...
ERROR [stderr]        "signature algorithm": "SHA256withRSA",
ERROR [stderr]        "issuer"             : "OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US",
...
ERROR [stderr]        "subject"            : "CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US",
ERROR [stderr]        "subject public key" : "RSA",
...
ERROR [stderr]    {
ERROR [stderr]      "certificate" : {
...
ERROR [stderr]        "signature algorithm": "SHA1withRSA",
ERROR [stderr]        "issuer"             : "OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US",
...
ERROR [stderr]        "subject"            : "OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US",
ERROR [stderr]        "subject public key" : "RSA",
...
ERROR [stderr]  javax.net.ssl|ERROR|TransportContext.java:345|Fatal (CERTIFICATE_UNKNOWN): Certificates do not conform to algorithm constraints (
ERROR [stderr]  "throwable" : {
ERROR [stderr]    java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
ERROR [stderr]      at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1681)
ERROR [stderr]      at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1606)
ERROR [stderr]      at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1550)
ERROR [stderr]      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
ERROR [stderr]      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
ERROR [stderr]      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
ERROR [stderr]      at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
ERROR [stderr]      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
...
ERROR [stderr]    Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
ERROR [stderr]      at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237)
ERROR [stderr]      at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1677)
ERROR [stderr]      ... 81 more}
...

Environment

  • OpenJDK
  • Red Hat Enterprise Linux (RHEL) or Container
    • 9
  • TLS network connections
  • Certificate Authority using SHA1 with RSA signatures

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content