권남

사용자 도구

사이트 도구

추적:
java:7:pitfall

차이

문서의 선택한 두 판 사이의 차이를 보여줍니다.

차이 보기로 링크

양쪽 이전 판 이전 판
다음 판 		이전 판
java:7:pitfall [2013/10/25 09:50]
kwon37xi 		java:7:pitfall [2015/12/18 16:36] (현재)
kwon37xi
줄 1: 줄 1:
 ====== Java 7 Upgrade Pitfall ====== ====== Java 7 Upgrade Pitfall ======
 Java 7 에서는 Security 관련 변경사항이 많다. Java 7 에서는 Security 관련 변경사항이 많다.
 +
 +* [[http://www.oracle.com/technetwork/java/javase/compatibility-417013.html|Java 7 Compatibility]]
  
 ===== Sorting Algorithm 변경 ===== ===== Sorting Algorithm 변경 =====
줄 10: 줄 12:
   * 이 문제는 정확하지 않다. private class라도 별 문제없이 되는 경우도 있다.   * 이 문제는 정확하지 않다. private class라도 별 문제없이 되는 경우도 있다.
  
-===== MD2, RSA Keysize 1024미만 ===== +===== SSLv3, MD2, RSA Keysize 1024미만 ===== 
-  * MD2와 RSA 키 크기가 1024bit 미만인 경우를 기본으로 금지하고 있다.+  * SSLv3, MD2와 RSA 키 크기가 1024bit 미만인 경우를 기본으로 금지하고 있다.
   * 원래 사용하면 안 좋은 것이니 사용하지 않는다.   * 원래 사용하면 안 좋은 것이니 사용하지 않는다.
-  * MD2와 RSA Keysize 1024bit 미만이 꼭 필요하다면 ''$JAVA_HOME/jre/lib/security/java.security'' 파일에서 다음을 주석처리한다.<code sh>+  * SSLv3, MD2와 RSA Keysize 1024bit 미만이 꼭 필요하다면 ''$JAVA_HOME/jre/lib/security/java.security'' 파일에서 다음을 주석처리한다.<code sh>
 #jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 #jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 +#jdk.tls.disabledAlgorithms=SSLv3
 </code> </code>
   * [[http://www.richardnichols.net/2012/08/arrrggh-java-security-cert-certificateexception-certificates-does-not-conform-to-algorithm-constraints/|Arrrggh! java.security.cert.CertificateException: Certificates does not conform to algorithm constraints : Pragmatic Coder - Java, Wicket and the Web]]   * [[http://www.richardnichols.net/2012/08/arrrggh-java-security-cert-certificateexception-certificates-does-not-conform-to-algorithm-constraints/|Arrrggh! java.security.cert.CertificateException: Certificates does not conform to algorithm constraints : Pragmatic Coder - Java, Wicket and the Web]]
줄 24: 줄 27:
 keytool -importkeystore -destkeystore CERTIFICATES.jks -srckeystore CERTIFICATES.p12 -srcstoretype PKCS12 keytool -importkeystore -destkeystore CERTIFICATES.jks -srckeystore CERTIFICATES.p12 -srcstoretype PKCS12
 </code> </code>
 +  * [[http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8013059|Bug ID: JDK-8013059 Diffie Hellman occasionally results in "invalid padding" exception]]
 +    * [[https://forums.oracle.com/thread/2506695|SSL intermittent problem when using DH-based ci... | Oracle Forums]]
 +    * I noticed that the bug suggested here (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=2222432) relates to the Diffie-Hellman key exchange, so I tried selecting a cipher which does not use Diffie-Hellman (''-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256'') and the problem went away. So I think we have a workaround.
 +
 +===== Unable to Connect to SSL Services due to PKIX Path Building Failed =====
 +  * [[http://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find|ssl - Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]
 +  * [[http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html|PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target.]]
 +  * [[https://confluence.atlassian.com/display/KB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed|Unable to Connect to SSL Services due to PKIX Path Building Failed - Atlassian Knowledge Base]]
 +
 +The source of this error on my Apache 2.4 instance (using a Comodo wildcard certificate) was an incomplete path to the SHA-1 signed root certificate. There were multiple chains in the issued certificate, and the chain leading to a SHA-1 root certificate was missing an [[https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/966/108/intermediate-1-sha-2-comodo-rsa-certification-authority|intermediate certificate]]. Modern browsers know how to handle this, but Java 7 doesn't handle it by default (although there are some convoluted ways to accomplish this in code). The result is error messages that look identical to the case of self-signed certificates:
  
 +Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 +    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
 +    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
 +    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
 +    ... 22 more
  
 +In this case, the "unable to find valid certification path to requested target" message is being produced due to the missing intermediate certificate. You can check which certificate is missing using [[https://www.ssllabs.com/ssltest/|SSL Labs]] test against the server. Once you find the appropriate certificate, download it and (if the server is under your control) add it to the certificate bundle. Alternatively, you can import the missing certificate locally. Accommodating this issue on the server is a more general solution to the problem.
  
java/7/pitfall.1382662253.txt.gz · 마지막으로 수정됨: 2013/10/25 09:50 저자 kwon37xi

문서 도구

별도로 명시하지 않을 경우, 이 위키의 내용은 다음 라이선스에 따라 사용할 수 있습니다: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki