java:7:pitfall

차이

문서의 선택한 두 판 사이의 차이를 보여줍니다.

차이 보기로 링크

--- java:7:pitfall [2015/06/23 15:22]
kwon37xi
+++ java:7:pitfall [2015/12/18 16:36] (현재)
kwon37xi
@@ 줄 12: / 줄 12: @@
   * 이 문제는 정확하지 않다. private class라도 별 문제없이 되는 경우도 있다.
-===== MD2, RSA Keysize 1024미만 =====
+===== SSLv3, MD2, RSA Keysize 1024미만 =====
-  * MD2와 RSA 키 크기가 1024bit 미만인 경우를 기본으로 금지하고 있다.
+  * SSLv3, MD2와 RSA 키 크기가 1024bit 미만인 경우를 기본으로 금지하고 있다.
   * 원래 사용하면 안 좋은 것이니 사용하지 않는다.
-  * MD2와 RSA Keysize 1024bit 미만이 꼭 필요하다면 ''$JAVA_HOME/jre/lib/security/java.security'' 파일에서 다음을 주석처리한다.<code sh>
+  * SSLv3, MD2와 RSA Keysize 1024bit 미만이 꼭 필요하다면 ''$JAVA_HOME/jre/lib/security/java.security'' 파일에서 다음을 주석처리한다.<code sh>
 #jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+#jdk.tls.disabledAlgorithms=SSLv3
 </code>
   * [[http://www.richardnichols.net/2012/08/arrrggh-java-security-cert-certificateexception-certificates-does-not-conform-to-algorithm-constraints/|Arrrggh! java.security.cert.CertificateException: Certificates does not conform to algorithm constraints : Pragmatic Coder - Java, Wicket and the Web]]
@@ 줄 30: / 줄 31: @@
     * I noticed that the bug suggested here (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=2222432) relates to the Diffie-Hellman key exchange, so I tried selecting a cipher which does not use Diffie-Hellman (''-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256'') and the problem went away. So I think we have a workaround.
-===== 문단 제목 =====
+===== Unable to Connect to SSL Services due to PKIX Path Building Failed =====
   * [[http://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find|ssl - Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]
   * [[http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html|PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target.]]
+  * [[https://confluence.atlassian.com/display/KB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed|Unable to Connect to SSL Services due to PKIX Path Building Failed - Atlassian Knowledge Base]]
 The source of this error on my Apache 2.4 instance (using a Comodo wildcard certificate) was an incomplete path to the SHA-1 signed root certificate. There were multiple chains in the issued certificate, and the chain leading to a SHA-1 root certificate was missing an [[https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/966/108/intermediate-1-sha-2-comodo-rsa-certification-authority|intermediate certificate]]. Modern browsers know how to handle this, but Java 7 doesn't handle it by default (although there are some convoluted ways to accomplish this in code). The result is error messages that look identical to the case of self-signed certificates:

java/7/pitfall.1435040539.txt.gz · 마지막으로 수정됨: 2015/06/23 15:22 저자 kwon37xi