-
Bug
-
Resolution: Won't Fix
-
P3
-
None
-
15
-
None
Protocol: TLSv1.1
Cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Certificate: SHA256withDSA with key size 2048
The above simple TLS handshaking case failed with the below error,
Caused by: javax.net.ssl.SSLException: Unsupported signature algorithm: DSA
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:327)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:270)
at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeMessage.<init>(DHServerKeyExchange.java:154)
at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeProducer.produce(DHServerKeyExchange.java:487)
at java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1101)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:851)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:810)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:451)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:428)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:184)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:799)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:758)
at SSLSocketTemplate.runServerApplication(SSLSocketTemplate.java:99)
at SSLSocketTemplate.doServerSide(SSLSocketTemplate.java:288)
at SSLSocketTemplate.startServer(SSLSocketTemplate.java:592)
at SSLSocketTemplate.bootup(SSLSocketTemplate.java:506)
... 2 more
Caused by: java.security.InvalidKeyException: The security strength of SHA-1 digest algorithm is not sufficient for this key size
at java.base/sun.security.provider.DSA.checkKey(DSA.java:124)
at java.base/sun.security.provider.DSA.engineInitSign(DSA.java:156)
at java.base/java.security.Signature$Delegate.tryOperation(Signature.java:1306)
at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1255)
at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1352)
at java.base/java.security.Signature.initSign(Signature.java:634)
at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeMessage.getSignature(DHServerKeyExchange.java:441)
at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeMessage.<init>(DHServerKeyExchange.java:150)
This case also failed with SSLv3 and TLSv1, but passed with TLSv1.2.
Cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Certificate: SHA256withDSA with key size 2048
The above simple TLS handshaking case failed with the below error,
Caused by: javax.net.ssl.SSLException: Unsupported signature algorithm: DSA
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:327)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:270)
at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeMessage.<init>(DHServerKeyExchange.java:154)
at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeProducer.produce(DHServerKeyExchange.java:487)
at java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1101)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:851)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:810)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:451)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:428)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:184)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:799)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:758)
at SSLSocketTemplate.runServerApplication(SSLSocketTemplate.java:99)
at SSLSocketTemplate.doServerSide(SSLSocketTemplate.java:288)
at SSLSocketTemplate.startServer(SSLSocketTemplate.java:592)
at SSLSocketTemplate.bootup(SSLSocketTemplate.java:506)
... 2 more
Caused by: java.security.InvalidKeyException: The security strength of SHA-1 digest algorithm is not sufficient for this key size
at java.base/sun.security.provider.DSA.checkKey(DSA.java:124)
at java.base/sun.security.provider.DSA.engineInitSign(DSA.java:156)
at java.base/java.security.Signature$Delegate.tryOperation(Signature.java:1306)
at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1255)
at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1352)
at java.base/java.security.Signature.initSign(Signature.java:634)
at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeMessage.getSignature(DHServerKeyExchange.java:441)
at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeMessage.<init>(DHServerKeyExchange.java:150)
This case also failed with SSLv3 and TLSv1, but passed with TLSv1.2.
- relates to
-
JDK-8243558 JDK Provider Guide should document that DSA signature generation is now subject to a key strength check
- Resolved
-
JDK-8243549 sun/security/ssl/CipherSuite/NamedGroupsWithCipherSuite.java failed with Unsupported signature algorithm: DSA
- Resolved