Develop Reference

Apache HttpClient4 + OpenJDK11 different behavior on CentOS Linux and Windows with SSL websites

A Java crawler developed on Apache HttpClient works fine on Windows, but throws "Algorithm constraints check failed on signature algorithm: SHA1withRSA" on Linux when crawling sites having certificate signed by Certum. Both ran on the latest openjdk-11. java.security on both OSes are compared and properties like jdk.certpath.disabledAlgorithms and jdk.security.legacyAlgorithms are the same. I even tried to comment all these properties on the Linux, no no success. Linux ca-certs are up to date and Certum is also trusted on java keystore there. Tools like curl and wget can safely download these https sites.
When running openssl s_client -showcerts -connect, it shows that root certum ca certificate uses RSA-SHA1 on these sites:
3 s:C = PL, O = Unizeto Sp. z o.o., CN = Certum CA
i:C = PL, O = Unizeto Sp. z o.o., CN = Certum CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
v:NotBefore: Jun 11 10:46:39 2002 GMT; NotAfter: Jun 11 10:46:39 2027 GMT
-----BEGIN CERTIFICATE-----
MIIDDDCCAfSgAwIBAgIDAQAgMA0GCSqGSIb3DQEBBQUAMD4xCzAJBgNVBAYTAlBM
MRswGQYDVQQKExJVbml6ZXRvIFNwLiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1bSBD
QTAeFw0wMjA2MTExMDQ2MzlaFw0yNzA2MTExMDQ2MzlaMD4xCzAJBgNVBAYTAlBM
MRswGQYDVQQKExJVbml6ZXRvIFNwLiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1bSBD
QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6xwS7TT3zNJc4YPk/E
jG+AanPIW1H4m9LcuwBcsaD8dQPugfCI7iNS6eYVM42sLQnFdvkrOYCJ5JdLkKWo
ePhzQ3ukYbDYWMzhbGZ+nPMJXlVjhNWo7/OxLjBos8Q82KxujZlakE403Daaj4GI
ULdtlkIJ89eVgw1BS7Bqa/j8D35in2fE7SZfECYPCE/wpFcozo+47UX2bu4lXapu
Ob7kky/ZR6By6/qmW6/KUz/iDsaWVhFu9+lmqSbYf5VT7QqFiLpPKaVCjF62/IUg
AKpoC6EahQGcxEZjgoi2IrHu/qpGWX7PNSzVttpd90gzFFS269lvzs2I1qsb2pY7
HVkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEA
uI3O7+cUus/usESSbLQ5PqKEbq24IXfS1HeCh+YgQYHu4vgRt2PRFze+GXYkHAQa
TOs9qmdvLdTN/mUxcMUbpgIKumB7bVjCmkn+YzILa+M6wKyrO7Do0wlRjBCDxjTg
xSvgGrZgFCdsMneMvLJymM/NzD+5yCRCFNZX/OYmQ6kd5YCQzgNUKD73P9P4Te1q
CjqTE5s7FCMTY5w/0YcneeVMUeMBrYVdGjux1XMQpNPyvG5k9VpWkKjHDkx0Dy5x
O/fIR/RpbxXyEV6DHpx8Uq79AtoSqFlnGNu8cN2bsWntgM6JQEhqDjXKKWYVIZQs
6GAqm4VKQPNriiTsBhYscw==
OpenJDK version on Linux:
OpenJDK Runtime Environment (Red_Hat-11.0.17.0.8-2.el9) (build 11.0.17+8-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-11.0.17.0.8-2.el9) (build 11.0.17+8-LTS, mixed mode, sharing)
Here is the exception trace:
javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1416)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at myproject.Crawler.load(Crawler.java:127)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1681)
at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1606)
at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1550)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 28 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237)
at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1677)

Seems that CentOS stream 9 overrides Java security policies on /usr/share/crypto-policies/DEFAULT/java.txt (accessible from /etc/crypto-policies/back-ends). Replaced JDK default jdk.certpath.disabledAlgorithms in the file resolved the issue!

I can't connect to ms sql instance - internal

The Platform and Software versions I am using are as follows :
Red Hat Enterprise Linux Server release 7.4 (Maipo)
Microsoft SQL Server 2017 (RTM-CU3-GDR) (KB4052987) - 14.0.3015.40 (X64)
Dec 22 2017 16:13:22
Copyright (C) 2017 Microsoft Corporation Express Edition (64-bit) on
Windows Server 2012 R2 Standard 6.3 <X64> (Build 9600:) (Hypervisor)
I have searched a lot for answers on Google but haven't found any solution yet. I can't connect to RDS instance having MS SQL instance via Linux.
It shows following errors If I try to :
[ec2-user#ip-~]$ sqlcmd -H mssqldb.xxxxxxxxxxxxxx.com -P 1433
-U userXXXXX -P aXXXXXX
-Q 'SELECT TOP 1 [n] FROM [dbbase2].[dbo].[table_people]'
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server :
Login timeout expired.
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server :
TCP Provider: Error code 0x2749.
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server :
A network-related or instance-specific error has occurred while
establishing a connection to SQL Server. The server is not found
or not accessible. Check if instance name is correct and if SQL
Server is configured to allow remote connections. For more
information see SQL Server Books Online.
[ec2-user#ip- ~]$ Check if instance name is correct and if SQL Server is
configured to allow remote connections.
Could anyone please tell the issue and resolution ?
Thanks.

Hosting Identity Server 3 in IIS

I'm trying to host Identity Server 3 as a separate application in IIS 10. I added an application with virtual path "/identity" and pointed it at my debug directory. When I try to browse to "http://localhost/identity/.well-known/openid-configuration" I get "HTTP Error 404.0 - Not Found". The project in the debug directory runs perfectly fine as a standalone server under Visual Studio 2015. I've run out of ideas.
Incidentally, I've backed out SSL and turned off https for now in an effort to whittle down the potential issues.
Identity Server Log:
w3wp.exe Warning: 0 : 2016-10-04 13:44:23.940 +01:00 [Warning] AuthorizationCodeStore not configured - falling back to InMemory
w3wp.exe Warning: 0 : 2016-10-04 13:44:23.950 +01:00 [Warning] TokenHandleStore not configured - falling back to InMemory
w3wp.exe Warning: 0 : 2016-10-04 13:44:23.952 +01:00 [Warning] ConsentStore not configured - falling back to InMemory
w3wp.exe Warning: 0 : 2016-10-04 13:44:23.952 +01:00 [Warning] RefreshTokenStore not configured - falling back to InMemory
w3wp.exe Information: 0 : 2016-10-04 13:44:24.346 +01:00 [Information] {
"Category": "Information",
"Name": "Signing certificate validation success",
"EventType": "Information",
"Id": 4012,
"Details": {
"SigningCertificateName": "CN=identityServer",
"SigningCertificateExpiration": "2019-12-31T23:00:00+00:00"
},
"Context": {
"TimeStamp": "2016-10-04T12:44:24.2176795+00:00",
"ProcessId": 3888,
"MachineName": "NAME_CHANGED"
}
}
IIS log:
2016-10-04 13:04:42 ::1 GET /identity/.well-known/openid-configuration - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.79+Safari/537.36+Edge/14.14393 - 404 0 2 0
Any help would be appreciated. Incidentally, this is a new machine so I've installed IIS from scratch - something that always causes me no end of issues.

The solution I found was to deploy the Identity Server 3 at the root of the Website (in my case Default Web Site) and not in an Application.

Fedora Configuration to enable TLS 1.2

I want to enable TLS 1.2 on the linux server to access third party ERP system. Please guide me through the steps and commands that I have to follow.
My Apache version: Apache/2.2.9 (Unix)
My OpenSSL version: OpenSSL 0.9.8b 04 May 2006
Thanks in advance.

Unless Fedora provides backports for TLS 1.2, the versions you mention are too old:
OpenSSL: Supported since version
1.0.1
Apache httpd: Introduced in
2.2.23
Anyway you can check if it actually is supported. Restrict the allowed protocols to TLS 1.2 only and try connecting with a recent browser. Edit your httpd.conf to:
SSLProtocol TLSv1.2

stunnel problems on Ubuntu 14 and Linux Mint 17

I installed stunnel4 from the program manager. When I try to run stunnel on either of Ubuntu 14 or Linux Mint 17, I get the message below. I have this working on CentOS6.5 and on MacOS X Mavericks. Not sure what to try next. Rebuilding openssl is a mess, if that is even the problem.
idf#idf-ZBOX-ID42-BE ~ $ sudo stunnel
Clients allowed=500
stunnel 4.53 on x86_64-pc-linux-gnu platform
Compiled with OpenSSL 1.0.1e 11 Feb 2013
Running with OpenSSL 1.0.1f 6 Jan 2014
Update OpenSSL shared libraries or rebuild stunnel
Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
Reading configuration from descriptor 3
Compression not enabled
PRNG seeded successfully
Initializing inetd mode configuration
Section stunnel: SSL server needs a certificate
str_stats: 2 block(s), 10 data byte(s), 116 control byte(s)
idf#idf-ZBOX-ID42-BE ~ $
my conf file looks like this:
idf#idf-ZBOX-ID42-BE ~ $ more /etc/stunnel/stunnel.conf
;Example stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
;cert = stunnel.pem
;key = stunnel.pem
cert = /home/idf/Downloads/cert.pem
key = /home/idf/Downloads/key.pem
fips = no
libwrap=no
;
;Protocol version (all, SSLv2, SSLv3, TLSv1)
;sslVersion = all
sslVersion = all
ciphers = ALL
;
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/run/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /home/idf/stunnel.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib
; Workaround for Eudora bug
options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = cacerts.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel/stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
[xxxxxxx-xxx-xxxxx]
client = yes
accept = 127.0.0.1:9099
connect= xx.xx.xx.xx:2506
; vim:ft=dosini
idf#idf-ZBOX-ID42-BE ~ $
If I uninstall the stunnel that is in the repository and replace it with this one:
https://launchpad.net/ubuntu/utopic/amd64/stunnel4/3:5.01-3
I still get even if I disable compression. I don't understand why it is telling me about the "Service [stunnel]: SSL server needs a certificate" since I am trying to use it only in client mode. Also, the other end does not need a certificate.
idf#idf-ZBOX-ID42-BE ~/Downloads $ sudo stunnel
[ ] Clients allowed=500
[.] stunnel 5.01 on x86_64-pc-linux-gnu platform
[.] Compiled/running with OpenSSL 1.0.1f 6 Jan 2014
[.] Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
[ ] errno: (*__errno_location ())
[.] Reading configuration from descriptor 3
[.] FIPS mode disabled
[ ] Compression disabled
[ ] PRNG seeded successfully
[ ] Initializing inetd mode configuration
[!] Service [stunnel]: SSL server needs a certificate
idf#idf-ZBOX-ID42-BE ~/Downloads $ ps ax | grep stunnel

i just beat my way thru this the other day.
you want stunnel4_5.01-3_amd64.deb - you'll have to download that - not in the repos yet. i believe someone made it work with 4.53, but i didn't manage it.
https://launchpad.net/ubuntu/utopic/amd64/stunnel4/3:5.01-3
openssl 1.0.1f and libssl.1.0.0 and libssl.1.0.0:i386 1.0.1f (they're the current versions) are good. but note this from your start output:
Compiled with OpenSSL 1.0.1e 11 Feb 2013
Running with OpenSSL 1.0.1f 6 Jan 2014
i think updating stunnel as described above will sort that for you.
and the other thing you need to do is turn off compression in your stunnel.conf - none of the different types of compression i tried currently work. hopefully, that's temporary.
regards,
hth

(I'm the same guys as above user3694589 - finally bothered to create an account.)
FYI, I just subscribed myself to this related bug and marked it as affecting me on launchpad.net:
https://bugs.launchpad.net/ubuntu/+source/stunnel4/+bug/1315844
You might want to add yourself as well. Several minutes later, I got this email:
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: stunnel4 (Ubuntu)
Status: New => Confirmed
-- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1315844 Title: won't start with compression on