-
Bug
-
Resolution: Incomplete
-
P4
-
None
-
8u141
-
x86_64
-
windows_7
FULL PRODUCT VERSION :
Java Plug-in 11.144.2.01 x86
Using JRE version 1.8.0_144-b01 Java HotSpot(TM) Client VM
ADDITIONAL OS VERSION INFORMATION :
Window 7 professional
A DESCRIPTION OF THE PROBLEM :
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts
security: Obtain certificate collection in SSL Root CA certificate store
security: Obtain certificate collection in SSL Root CA certificate store
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Loading certificates from Internet Explorer DISALLOWED certificate store
security: Loaded certificates from Internet Explorer DISALLOWED certificate store
security: Loaded blacklisted.certs file: C:\Users\Twaterman\AppData\LocalLow\Sun\Java\Deployment\security\blacklisted.certs
security: SHA-256Certificate finger print: 2D899E7CFD37344266312485B2F36314553A5714A3F17A8873970C0208ED9FE9
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: EAE72EB454BF6C3977EBD289E970B2F5282949190093D0D26F98D0F0D6A9CF17
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: 8420DFBE376F414BF4C0A81E6936D24CCC03F304835B86C7A39142FCA723A689
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
REGRESSION. Last worked in version 8u131
ADDITIONAL REGRESSION INFORMATION:
Java.security file:
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Java JRE rejects SHA1 certificates from the certificate chain from Java 8u141 version. This issue is discussed in detail in Java release documents
(refer https://www.java.com/en/download/faq/release_changes.xml in section Java 8 Update 141, sub section "Improved algorithm constraints checking" ).
customers have upgraded to latest versions of Java (8u141 or 8u144), there are customers who could not even launch the java application.
As a workaround, each customer has to either use Java 8u131 version (where SHA1 is not rejected) or remove the statement of SHA1 from Java security file (see attached java security file).
Would it be possible for security team to review this and find if there is an alternate way to include only SHA1 certificates in jdkca validation in the future release.
ACTUAL -
security: Loaded certificates from Internet Explorer ROOT certificate store
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Java Plug-in 11.144.2.01 x86
Using JRE version 1.8.0_144-b01 Java HotSpot(TM) Client VM
User home directory = C:\Users\cccccccccc
----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------
network: Version checking for https://www.xxxxxxxxxxx.com/Client.jar, specified version is 4.0.0.00
basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@162cadb
security: Expected Main URL: https://www.xxxxxxxxxxx.com/Client.jar
basic: Plugin2ClassLoader.addURL parent called for https://www.xxxxxxxxxxx.com/Client.jar
network: Cache entry not found [url: file:/C:/Program%20Files%20(x86)/Java/jre1.8.0_144/lib/ext/sunec.jar, version: null]
network: Cache entry not found [url: https://www.xxxxxxxxxxx.com/Client.jar, version: 4.0.0.00]
network: Connecting https://www.xxxxxxxxxxx.com/Client.jar?version-id=4.0.0.00 with proxy=DIRECT
network: Connecting http://www.markets2.ml.com:443/ with proxy=DIRECT
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts
security: Obtain certificate collection in SSL Root CA certificate store
security: Obtain certificate collection in SSL Root CA certificate store
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Loading certificates from Internet Explorer DISALLOWED certificate store
security: Loaded certificates from Internet Explorer DISALLOWED certificate store
security: Loaded blacklisted.certs file: C:\Users\Twaterman\AppData\LocalLow\Sun\Java\Deployment\security\blacklisted.certs
security: SHA-256Certificate finger print: 2D899E7CFD37344266312485B2F36314553A5714A3F17A8873970C0208ED9FE9
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: EAE72EB454BF6C3977EBD289E970B2F5282949190093D0D26F98D0F0D6A9CF17
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: 8420DFBE376F414BF4C0A81E6936D24CCC03F304835B86C7A39142FCA723A689
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at sun.plugin.PluginURLJarFileCallBack.connect(Unknown Source)
at sun.plugin.PluginURLJarFileCallBack.retrieve(Unknown Source)
at sun.net.www.protocol.jar.URLJarFile.retrieve(Unknown Source)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(Unknown Source)
at sun.net.www.protocol.jar.JarFileFactory.get(Unknown Source)
at sun.net.www.protocol.jar.JarURLConnection.connect(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFileInternal(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$900(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate$2.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
... 46 more
Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
... 56 more
Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.util.DisabledAlgorithmConstraints$UsageConstraint.permits(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints$Constraint.next(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints$jdkCAConstraint.permits(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints.permits(Unknown Source)
at sun.security.provider.certpath.AlgorithmChecker.check(Unknown Source)
... 61 more
network: Cache entry not found [url: https://www.xxxxxxxxxxx.com/Client.jar, version: 4.0.0.00]
network: Connecting https://www.xxxxxxxxxxx.com/Client.jar?version-id=4.0.0.00 with proxy=DIRECT
network: Connecting http://www.xxxxxxxxxxxxx.com:443/ with proxy=DIRECT
security: Obtain certificate collection in SSL Root CA certificate store
security: Obtain certificate collection in SSL Root CA certificate store
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: SHA-256Certificate finger print: 2D899E7CFD37344266312485B2F36314553A5714A3F17A8873970C0208ED9FE9
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: EAE72EB454BF6C3977EBD289E970B2F5282949190093D0D26F98D0F0D6A9CF17
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: 8420DFBE376F414BF4C0A81E6936D24CCC03F304835B86C7A39142FCA723A689
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at sun.plugin.PluginURLJarFileCallBack.connect(Unknown Source)
at sun.plugin.PluginURLJarFileCallBack.retrieve(Unknown Source)
at sun.net.www.protocol.jar.URLJarFile.retrieve(Unknown Source)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(Unknown Source)
at sun.net.www.protocol.jar.JarFileFactory.get(Unknown Source)
at sun.net.www.protocol.jar.JarURLConnection.connect(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFileInternal(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$900(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate$2.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
... 44 more
Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
... 54 more
Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.util.DisabledAlgorithmConstraints$UsageConstraint.permits(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints$Constraint.next(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints$jdkCAConstraint.permits(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints.permits(Unknown Source)
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: 8420DFBE376F414BF4C0A81E6936D24CCC03F304835B86C7A39142FCA723A689
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Java.security file:
---------------------
Removed SHA1 jdkCA & usage TLSServer value for the property
jdk.certpath.disabledAlgorithms=MD2, MD5, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
Java Plug-in 11.144.2.01 x86
Using JRE version 1.8.0_144-b01 Java HotSpot(TM) Client VM
ADDITIONAL OS VERSION INFORMATION :
Window 7 professional
A DESCRIPTION OF THE PROBLEM :
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts
security: Obtain certificate collection in SSL Root CA certificate store
security: Obtain certificate collection in SSL Root CA certificate store
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Loading certificates from Internet Explorer DISALLOWED certificate store
security: Loaded certificates from Internet Explorer DISALLOWED certificate store
security: Loaded blacklisted.certs file: C:\Users\Twaterman\AppData\LocalLow\Sun\Java\Deployment\security\blacklisted.certs
security: SHA-256Certificate finger print: 2D899E7CFD37344266312485B2F36314553A5714A3F17A8873970C0208ED9FE9
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: EAE72EB454BF6C3977EBD289E970B2F5282949190093D0D26F98D0F0D6A9CF17
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: 8420DFBE376F414BF4C0A81E6936D24CCC03F304835B86C7A39142FCA723A689
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
REGRESSION. Last worked in version 8u131
ADDITIONAL REGRESSION INFORMATION:
Java.security file:
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Java JRE rejects SHA1 certificates from the certificate chain from Java 8u141 version. This issue is discussed in detail in Java release documents
(refer https://www.java.com/en/download/faq/release_changes.xml in section Java 8 Update 141, sub section "Improved algorithm constraints checking" ).
customers have upgraded to latest versions of Java (8u141 or 8u144), there are customers who could not even launch the java application.
As a workaround, each customer has to either use Java 8u131 version (where SHA1 is not rejected) or remove the statement of SHA1 from Java security file (see attached java security file).
Would it be possible for security team to review this and find if there is an alternate way to include only SHA1 certificates in jdkca validation in the future release.
ACTUAL -
security: Loaded certificates from Internet Explorer ROOT certificate store
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Java Plug-in 11.144.2.01 x86
Using JRE version 1.8.0_144-b01 Java HotSpot(TM) Client VM
User home directory = C:\Users\cccccccccc
----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------
network: Version checking for https://www.xxxxxxxxxxx.com/Client.jar, specified version is 4.0.0.00
basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@162cadb
security: Expected Main URL: https://www.xxxxxxxxxxx.com/Client.jar
basic: Plugin2ClassLoader.addURL parent called for https://www.xxxxxxxxxxx.com/Client.jar
network: Cache entry not found [url: file:/C:/Program%20Files%20(x86)/Java/jre1.8.0_144/lib/ext/sunec.jar, version: null]
network: Cache entry not found [url: https://www.xxxxxxxxxxx.com/Client.jar, version: 4.0.0.00]
network: Connecting https://www.xxxxxxxxxxx.com/Client.jar?version-id=4.0.0.00 with proxy=DIRECT
network: Connecting http://www.markets2.ml.com:443/ with proxy=DIRECT
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts
security: Obtain certificate collection in SSL Root CA certificate store
security: Obtain certificate collection in SSL Root CA certificate store
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Loading certificates from Internet Explorer DISALLOWED certificate store
security: Loaded certificates from Internet Explorer DISALLOWED certificate store
security: Loaded blacklisted.certs file: C:\Users\Twaterman\AppData\LocalLow\Sun\Java\Deployment\security\blacklisted.certs
security: SHA-256Certificate finger print: 2D899E7CFD37344266312485B2F36314553A5714A3F17A8873970C0208ED9FE9
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: EAE72EB454BF6C3977EBD289E970B2F5282949190093D0D26F98D0F0D6A9CF17
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: 8420DFBE376F414BF4C0A81E6936D24CCC03F304835B86C7A39142FCA723A689
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at sun.plugin.PluginURLJarFileCallBack.connect(Unknown Source)
at sun.plugin.PluginURLJarFileCallBack.retrieve(Unknown Source)
at sun.net.www.protocol.jar.URLJarFile.retrieve(Unknown Source)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(Unknown Source)
at sun.net.www.protocol.jar.JarFileFactory.get(Unknown Source)
at sun.net.www.protocol.jar.JarURLConnection.connect(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFileInternal(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$900(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate$2.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
... 46 more
Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
... 56 more
Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.util.DisabledAlgorithmConstraints$UsageConstraint.permits(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints$Constraint.next(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints$jdkCAConstraint.permits(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints.permits(Unknown Source)
at sun.security.provider.certpath.AlgorithmChecker.check(Unknown Source)
... 61 more
network: Cache entry not found [url: https://www.xxxxxxxxxxx.com/Client.jar, version: 4.0.0.00]
network: Connecting https://www.xxxxxxxxxxx.com/Client.jar?version-id=4.0.0.00 with proxy=DIRECT
network: Connecting http://www.xxxxxxxxxxxxx.com:443/ with proxy=DIRECT
security: Obtain certificate collection in SSL Root CA certificate store
security: Obtain certificate collection in SSL Root CA certificate store
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: SHA-256Certificate finger print: 2D899E7CFD37344266312485B2F36314553A5714A3F17A8873970C0208ED9FE9
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: EAE72EB454BF6C3977EBD289E970B2F5282949190093D0D26F98D0F0D6A9CF17
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: 8420DFBE376F414BF4C0A81E6936D24CCC03F304835B86C7A39142FCA723A689
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at sun.plugin.PluginURLJarFileCallBack.connect(Unknown Source)
at sun.plugin.PluginURLJarFileCallBack.retrieve(Unknown Source)
at sun.net.www.protocol.jar.URLJarFile.retrieve(Unknown Source)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(Unknown Source)
at sun.net.www.protocol.jar.JarFileFactory.get(Unknown Source)
at sun.net.www.protocol.jar.JarURLConnection.connect(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFileInternal(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$900(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate$2.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
... 44 more
Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
... 54 more
Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US. Usage was tls server
at sun.security.util.DisabledAlgorithmConstraints$UsageConstraint.permits(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints$Constraint.next(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints$jdkCAConstraint.permits(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(Unknown Source)
at sun.security.util.DisabledAlgorithmConstraints.permits(Unknown Source)
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: 8420DFBE376F414BF4C0A81E6936D24CCC03F304835B86C7A39142FCA723A689
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Java.security file:
---------------------
Removed SHA1 jdkCA & usage TLSServer value for the property
jdk.certpath.disabledAlgorithms=MD2, MD5, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224