在Linux系统中,使用HttpClient访问HTTPS服务时遇到SSLHandshakeException,原因是证书不符合算法约束,特别是签名算法MD5withRSA受限。解决方案包括修改JDK的安全配置,移除MD5限制,以及检查服务器时间是否准确,避免证书过期。另外,网络问题和jar冲突也可能导致此问题,需要相应排查。
开发环境(windows)正常,测试环境(linux)报错
1 >>>
异常log:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
...
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: MD5withRSA
可能原因:
新版jdk由于安全性问题,限制了不安全的加密算法
参考:
【1】JDK升级导致TLS证书认证失败 https://blog.csdn.net/u014389822/article/details/48296811
【2】解決 java.security.cert.CertificateException: Certificates does not conform to algorithm constraints https://blog.csdn.net/silyvin/article/details/78784030
【3】SSL handshake exception: “Algorithm constraints check failed: MD5withRSA” https://stackoverflow.com/questions/21218217/ssl-handshake-exception-algorithm-constraints-check-failed-md5withrsa
原因:JDK7版本已经默认限制RSA最低长度为1024,而客户端使用了RSA为512位的证书导致服务器无法正常调用库进行解密。
措施:
修改文件$\jdk\jre\lib\security\java.security
移除jdk.certpath.disabledAlgorithms值中的MD5
移除jdk.tls.disabledAlgorithms值中的MD5withRSA
<<< 1
2 >>>
curl异常log:
[root@localhost apache-tomcat-8.0.52]# curl https://xxx.xxx.com/api/Bill400/GetCall400Detail -X POST -H "Content-Type:application/json" -d '{"AreaCode": "B024","PageNumber": 1,"PageSize": 10,"Search": 53549}' -v
* About to connect() to xxx.xxx.com port 443 (#0)
* Trying 210.xxx.xxx.xxx...
* Connected to xxx.xxx.com (210.xxx.xxx.xxx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: O=Internet Widgits Pty Ltd,ST=Some-State,C=CN
* start date: 6月 01 09:23:23 2006 GMT
* expire date: 5月 31 09:23:23 2011 GMT
* common name: (nil)
* issuer: E=ssl@sinfor,CN=ssl,OU=ssl,O=sinfor,L=sz,ST=gd,C=CN
* NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE)
* Peer's Certificate has expired.
* Closing connection 0
curl: (60) Peer's Certificate has expired.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
得到curl: (60) Peer's Certificate has expired.
可能原因:
证书过期,服务器的时间不正确
参考:
【1】记一次解决curl https证书问题 https://www.cnblogs.com/xuxinkun/p/5417836.html
措施:
更新过期证书:update-ca-trust
进行一次ntp时间同步:ntpdate pool.ntp.org
<<< 2
3 >>>
问题:
ping可以,项目访问不到
可能原因3:
网络问题,找网络管理员。
本项目是因为idc机房访问不了阿里云,具体原因不清楚。
措施:
修改hosts文件,/etc/hosts
<<< 3
4 >>>
可能原因4:
jar冲突(http-client-1.1.1.RELEASE.jar 与 httpclient-4.5.6.jar 冲突)
项目接手时,是普通web项目,jar有冗余,改造为用maven进行管理后,剔除了几个冗余的jar。
措施:
剔除了http-client-1.1.1.RELEASE.jar(http-client-1.1.1.RELEASE.jar在本项目中存在于spring-rabbit-1.7.5.RELEASE.jar之中)
<<< 4
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
