HI Team,
Recently I have upgraded from 8.2.p2 to 8.3 in my sandbox environment running on azure SQLServer instance, everything seems working fine however can see that for one JDBC connector using SQLServer driver is failing with below error, i have already updated latest SQL driver jar from 10.2 to 12.0
any help would be appreciated.
Can you test with changing the URI to end it with:
trustservercertificate=true;encrypt=false
– Remold
Hi Dheeraj,
It looks like the issue with rsa key length limitation caused by java security.
Can you check in your java security if jdk.certpath.disabledAlgorithms contains something like RSA keySize < 1024
It would be better to make the key size more then 1024 but as its a sandbox i think you can test it first with disabling this check.
Thankyou @kjakubiak
below is the jdk.certpath.disabledAlgorithm in my java.security, i increased the keySize to 2024 but still, getting same error:
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer,
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224,
include jdk.disabled.namedCurves
below is additional logs:
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=SSL_Self_Signed_Fallback
at sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:889) ~[?:?]
at sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:507) ~[?:?]
at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:247) ~[?:?]
additional info i am using “mssql-jdbc-12.4.2.jre11.jar” and “com.microsoft.sqlserver.jdbc.SQLServerDriver” driver name
Can you add this to your tomcat server startup options :
-Djava.security.disableSystemPropertiesFile=true
Hi Dheeraj,
Did you change the key to 2048 in the database or in java security file?
Hi @kjakubiak ,
Yes i did change the keySize<2048 in java.security file.
Hi Dheeraj,
So generaly what you did is oposit to what you wanted to achieve 
now you enforce that the must have at least 2048 to work. I would suggest to just keep MD2, MD5 and SHA1 in the disabledAlgorythms and remove the rest.
Updated , but got same error:
p
om.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: “Certificates do not conform to algorithm constraints”. ClientConnectionId:26ae0198-970a-4a66-bf15-e0a09
Can you validate the certificate to see the keysize and type?
openssl x509 -pubkey -noout -text -inform DER -in <certificate filename>
You can also take a look at:
https://www.java-success.com/debugging-java-security-cert-certificateexception-certificates-does-not-conform-to-algorithm-constraints/
– Remold
Another solution might be:
Removing SHA-1 from the disabled algorithms in retain.jdk.security file in the tomcat/conf folder
Toghether with removal of the SHA-1 from jdk.certpath.disabledAlgorithms
– Remold
Hi Everyone,
Thankyou for getting into this and helping me to resolve this issue, actually in java. Security file security.useSystemPropertiesFile=true parameter is set true.
This is why any change i was doing in java.Security file was getting overridden with another/etc/crypto-policies/back-ends/java.config file on RSA keySize<2048 was mentioned.
Now i am able to connect successfully. Thankyou all for your valuable suggestion and help, really appreciate !!
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.