Signature Algorithm: Algorithm constraint check failed on MD5withRSA
Today I want to use HttpClient to call the Hybris interface in AEM. But I get the error message “java.security.cert.CertPathValidatorException: Algorithm constraint check failed for signature algorithm: MD5withRSA”.
On this line, throw the exception “java.security.cert.CertPathValidatorException: Algorithm constraint check failed on signature algorithm: MD5withRSA”.
httpClient.executeMethod(request);
I changed the following property to empty in the java.security file (C:\Program Files\Java\jdk1.8.0_191\jre\lib\security\java.security), but it doesn’t work.
jdk.certpath.disabledAlgorithms
jdk.tls.disabledAlgorithms
jdk.jar.disabledAlgorithms
My JDK version: jdk1.8.0_191
Does anyone know how to fix it?
Thank you
Forrest Gump
Solution
Narrator: The jdk.jar.disabledAlgorithm
property is not related to this issue.
Let’s make sure you’ve actually changed the files that the program sees.
Modern versions of Windows (IIRC since Vista, probably 7) don’t like anything other than the installer that is being written to files under \Program Files
and \Program Files (x86).
At least one thing they do sometimes is “virtualize” such writes to different files hidden somewhere under each
user's %appdata%.
Search, you will find a lot of similar problems and frustrations.Call
Security.getProperty()
to check the settings actually seen in the program.
If you are unable to fix the settings in the standard file, you can override it in another file (in a more convenient place) by setting sysprop (not secprop) java.security.properties=filename
or by calling Security.setProperty()
early in the program (when loading JSSE/ PKIX class). See also:
Relaxing SSL algorithm constrains programatically
Java – Lock down TLS version in java.security, but allow per app override via launch config?
Alternatively, the JDK doesn’t really need to be in \Program Files*
. I put it in another top directory without these issues.
Tell of course the people responsible for the server that they are outdated 🙂