Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Java 7 Troubleshooting (disabled support for MD2)

Posted by William Diaz on September 4, 2013

Upon trying to connect to a vendors website application, a user was seeing an error pointing to a failed certificate validation:


With java logging enabled, the details were more specific:

com.citrix.sdk.jsse.CitrixSSLException: The certificate validation failed. 
    at com.citrix.sdk.jsse.SocketFactory.createSslSocket(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at Source)
    at Source)
    at Source)
    at Source)
    at Source)
    at Source)
Caused by: Certificates does not conform to algorithm constraints
    at Source)
    at Source)
    at Source)
    at Source)
    at Source)
    at Source)

Looking at the certificate, I could see it was using the relatively old MD2 algorithm. While the user did not experience this issue previously, its worth noting we had just moved to Java 7 from 6. Likely JRE 7 has disabled support for MD2 because it is considered unsecure. Some quick research revealed this was the case. With the site outside of our control, a need existed for the user to be able to access the application. Instead of downgrading to Java 6, enabling MD2 support in Java 7 is a simple matter of editing the file in C:\Program Files (x86)\Java\jre7\lib\security to comment out jdk.certpath.disabledAlgorithms=MD2 or simply remove the MD2 part:



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: