Bug 1487266 - Java update 8.131 to 8.141 results in ssl handshake errors
Summary: Java update 8.131 to 8.141 results in ssl handshake errors
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: java-1.8.0-openjdk
Version: 7.3
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Andrew John Hughes
QA Contact: Lukas Zachar
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-31 14:02 UTC by Deepu K S
Modified: 2018-04-10 15:51 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-04-10 15:50:25 UTC

Attachments (Terms of Use)
Reproducer program (8.02 KB, text/x-csrc)
2017-08-31 14:10 UTC, Deepu K S 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
openjdk bug system JDK-8184673 None None None 2017-09-01 15:06 UTC
Icedtea Bugzilla 3475 None None None 2017-10-13 17:00 UTC
Red Hat Product Errata RHBA-2018:0872 None None None 2018-04-10 15:51 UTC

Description Deepu K S 2017-08-31 14:02:27 UTC 
Description of problem:
Java update 8.131 to 8.141 results in ssl handshake errors because of signature alg. error

Stacktraces :
Caused by: com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate signature algorithm disabled
        at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:117) ~[na:1.8.0_141]
        at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:208) ~[na:1.8.0_141]
        at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:130) ~[na:1.8.0_141]
        at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:124) ~[na:1.8.0_141]
        at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Fiber.java:1121) ~[na:1.8.0_141]
        at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Fiber.java:1035) ~[na:1.8.0_141]
        at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Fiber.java:1004) ~[na:1.8.0_141]
        at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Fiber.java:862) ~[na:1.8.0_141]
        at com.sun.xml.internal.ws.client.Stub.process(Stub.java:448) ~[na:1.8.0_141]
        at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(SEIStub.java:178) ~[na:1.8.0_141]
        at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:93) ~[na:1.8.0_141]
        at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77) ~[na:1.8.0_141]
        at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147) ~[na:1.8.0_141]
        at com.sun.proxy.$Proxy100.editUser(Unknown Source) ~[na:na]
        at de.kvconnect.server.csr.ejbca.CsrDAO.editUser(CsrDAO.java:222) ~[de.kvconnect.server.csr.ejbca-1.1.0.jar:na]
        at de.kvconnect.server.csr.ejbca.CsrDAO.pkcs10Request(CsrDAO.java:239) ~[de.kvconnect.server.csr.ejbca-1.1.0.jar:na]
        at de.kvconnect.server.csr.ejbca.CsrDAO.createAndSignCertificate(CsrDAO.java:91) ~[de.kvconnect.server.csr.ejbca-1.1.0.jar:na]
        ... 37 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate signature algorithm disabled
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_141]
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) ~[na:1.8.0_141]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_141]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_141]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[na:1.8.0_141]
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[na:1.8.0_141]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[na:1.8.0_141]
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[na:1.8.0_141]
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[na:1.8.0_141]
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[na:1.8.0_141]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[na:1.8.0_141]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[na:1.8.0_141]
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[na:1.8.0_141]
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.8.0_141]
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316) ~[na:1.8.0_141]
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1291) ~[na:1.8.0_141]
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) ~[na:1.8.0_141]
        at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:104) ~[na:1.8.0_141]
        ... 53 common frames omitted
Caused by: sun.security.validator.ValidatorException: Certificate signature algorithm disabled
        at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:194) ~[na:1.8.0_141]
        at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_141]
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_141]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_141]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_141]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ~[na:1.8.0_141]
        ... 66 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA512WithRSAEncryption


Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 7.3
java-1.8.0-openjdk-1.8.0.141-2.b16.el7_4.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-2.b16.el7_4.x86_64/jre/bin/java)
tomcat-7.0.69-12.el7_3.noarch

Tomcat (warfile) Java tls connection to Wildfly 10 (.ear file) relationship is normal keystore/truststore .

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:
com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate signature algorithm disabled

SSL handshakes failed.

Expected results:
No errors with TLS handshakes.

Additional info:
Comment 3 Deepu K S 2017-08-31 14:10 UTC 
Created attachment 1320607 [details]
Reproducer program
Comment 12 errata-xmlrpc 2018-04-10 15:50:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0872
Note You need to log in before you can comment on or make changes to this bug.