Java – Signature Algorithm: Algorithm constraint check failed on MD5withRSA

Signature Algorithm: Algorithm constraint check failed on MD5withRSA… here is a solution to the problem.

Signature Algorithm: Algorithm constraint check failed on MD5withRSA

Today I want to use HttpClient to call the Hybris interface in AEM. But I get the error message “java.security.cert.CertPathValidatorException: Algorithm constraint check failed for signature algorithm: MD5withRSA”.

On this line, throw the exception “java.security.cert.CertPathValidatorException: Algorithm constraint check failed on signature algorithm: MD5withRSA”.

httpClient.executeMethod(request);

I changed the following property to empty in the java.security file (C:\Program Files\Java\jdk1.8.0_191\jre\lib\security\java.security), but it doesn’t work.

jdk.certpath.disabledAlgorithms
jdk.tls.disabledAlgorithms
jdk.jar.disabledAlgorithms

My JDK version: jdk1.8.0_191

Does anyone know how to fix it?

Thank you
Forrest Gump

Solution

Narrator: The jdk.jar.disabledAlgorithm property is not related to this issue.

Let’s make sure you’ve actually changed the files that the program sees.

  • Modern versions of Windows (IIRC since Vista, probably 7) don’t like anything other than the installer that is being written to files under \Program Files and \Program Files (x86). At least one thing they do sometimes is “virtualize” such writes to different files hidden somewhere under each user's %appdata%. Search, you will find a lot of similar problems and frustrations.

  • Call Security.getProperty() to check the settings actually seen in the program.

If you are unable to fix the settings in the standard file, you can override it in another file (in a more convenient place) by setting sysprop (not secprop) java.security.properties=filename or by calling Security.setProperty() early in the program (when loading JSSE/ PKIX class). See also:
Relaxing SSL algorithm constrains programatically
Java – Lock down TLS version in java.security, but allow per app override via launch config?

Alternatively, the JDK doesn’t really need to be in \Program Files*. I put it in another top directory without these issues.

Tell of course the people responsible for the server that they are outdated 🙂

Related Problems and Solutions