Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Java 7 Troubleshooting (disabled support for MD2)

Posted by William Diaz on September 4, 2013


Upon trying to connect to a vendors website application, a user was seeing an error pointing to a failed certificate validation:

image

With java logging enabled, the details were more specific:

com.citrix.sdk.jsse.CitrixSSLException: The certificate validation failed. 
    at com.citrix.sdk.jsse.SocketFactory.createSslSocket(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.citrix.client.io.net.ip.proxy.o.a(Unknown Source)
    at com.citrix.client.io.net.ip.z.a(Unknown Source)
    at com.citrix.client.io.net.ip.z.a(Unknown Source)
    at com.citrix.client.module.td.tcp.TCPTransportDriver.s(Unknown Source)
    at com.citrix.client.module.td.TransportDriver.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)

Looking at the certificate, I could see it was using the relatively old MD2 algorithm. While the user did not experience this issue previously, its worth noting we had just moved to Java 7 from 6. Likely JRE 7 has disabled support for MD2 because it is considered unsecure. Some quick research revealed this was the case. With the site outside of our control, a need existed for the user to be able to access the application. Instead of downgrading to Java 6, enabling MD2 support in Java 7 is a simple matter of editing the java.security file in C:\Program Files (x86)\Java\jre7\lib\security to comment out jdk.certpath.disabledAlgorithms=MD2 or simply remove the MD2 part:

SNAGHTML67b4bc0

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: