JDK17下,使用SHA1算法报Certificates do not conform to algorithm constraints错误

JDK17从17.0.5开始,默认不再允许使用SHA1算法,如果引用的jar包或代码里使用了SHA1算法,会报以下错误。

Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
	at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:589)
	at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1450)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1421)
	at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:220)
	at com.pingan.openbank.api.sdk.common.helper.WebUtils.doRequest(WebUtils.java:167)
	at com.pingan.openbank.api.sdk.common.helper.WebUtils.doPost(WebUtils.java:110)
	... 11 common frames omitted
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1571)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1496)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1440)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
	... 29 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
	at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1567)
	... 32 common frames omitted

如果从JDK8升级到JDK17时,或其他原因,必须要使用SHA1算法,则需要修改JDK的配置

找到你的JDK安装目录,找到目录下conf/security/java.security文件,如"/java-17-openjdk/conf/security/java.security"

注释掉或者直接删除SHA1 usage SignedJAR & denyAfter 2019-01-01,注意前面的逗号和空格也要删除

如果是RedHat系的,如RHEL,AlmaLinux,Rocky Linux,/etc/crypto-policies/back-ends/java.config也需要修改,把里面的SHA1删除

之后,重启服务,即可使用SHA1加密算法

相关推荐
JavaNice哥2 小时前
1初识别jvm
jvm
涛粒子2 小时前
JVM垃圾回收详解
jvm
YUJIANYUE2 小时前
PHP将指定文件夹下多csv文件[即多表]导入到sqlite单文件
jvm·sqlite·php
逊嘘2 小时前
【Java语言】抽象类与接口
java·开发语言·jvm
鱼跃鹰飞12 小时前
大厂面试真题-简单说说线程池接到新任务之后的操作流程
java·jvm·面试
王佑辉12 小时前
【jvm】Major GC
jvm
阿维的博客日记12 小时前
jvm学习笔记-轻量级锁内存模型
jvm·cas·轻量级锁
曹申阳16 小时前
2. JVM的架构模型和生命周期
jvm·架构
琪露诺大湿17 小时前
JavaEE-多线程初阶(4)
java·开发语言·jvm·java-ee·基础·1024程序员节·原神
王佑辉19 小时前
【jvm】Full GC
jvm