API & Integration

Reply

java.security.cert.CertificateException: Certificates do not conform to algorithm constraints

mnachiappan
Techie
Posts: 1
743     0

Hi,

 

I am getting "

java.security.cert.CertificateException: Certificates do not conform to algorithm constraints" when i tried to access the rest api from java apache http client. tried all possible solutions like 

# jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
# jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

any possible solutions? 

Highlighted

Re: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints

Adviser
Posts: 70
743     0

Hi,

 

Did this start happening after upgrading to an 8.x version of NIOS?

 

Here are a few things you could try.

 

It is likely that the cipher suite being negotiated could be having compatibility issues with the Java client.

 

You can see the enabled cipher in NIOS using the CLI command 'show ssl_tls_ciphers.

This will give you a like the one below.

 

 

Infoblox > show ssl_tls_ciphers

1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled

2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled

3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled

4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled

5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled

6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled

7. TLS_RSA_WITH_AES_128_GCM_SHA256 enabled

8. TLS_RSA_WITH_AES_128_CBC_SHA enabled

9. TLS_RSA_WITH_AES_128_CBC_SHA256 enabled

10. TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled

11. TLS_RSA_WITH_AES_256_GCM_SHA384 enabled

12. TLS_RSA_WITH_AES_256_CBC_SHA enabled

13. TLS_RSA_WITH_AES_256_CBC_SHA256 enabled

14. TLS_RSA_WITH_RC4_128_SHA enabled

TLS_DHE_DSS_WITH_AES_256_CBC_SHA disabled

TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA disabled

TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA disabled

TLS_DHE_DSS_WITH_AES_128_CBC_SHA disabled

TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled

 

 

You can override the default settings using the command 'set ssl_tls_settings oveide'

 

You can disable a cipher using the command 'set ssl_tls_ciphers disable <index number>. For example, in the above example, if you want to disable TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, use the command set ssl_tls_ciphers disable 2. To enable the cipher, use 'set ssl_tls_ciphers enable TLS_DHE_RSA_WITH_AES_256_GCM_SHA384'.

 

You can either find the cipher being negotiated from a traffic capture taken from NIOS while the API call is being made, or try disabling the ciphers one by one to identify the offending one.

After any change a web UI restart is needed. You can use the command 'debug webui restart' for this.

 

Please note, this is only a preliminary assessment of the issue based on the symptoms and may not be the actual cause of the problem. If this does not work, please open a case with support.

 

 Regards,

Sandeep

Showing results for 
Search instead for 
Do you mean 

Recommended for You