Java 7 Upgrade Pitfall

Java 7 에서는 Security 관련 변경사항이 많다.

* Java 7 Compatibility

• Sort algorithm changes in Java 7 | tOMPSON's blog
• Comparator 구현시 1, 0, -1을 정확히 리턴해주게 작성할 것.

• Freemarker에서 private class의 인스턴스를 읽지 못한다. public으로 변경해야 한다.
• 이 문제는 정확하지 않다. private class라도 별 문제없이 되는 경우도 있다.

• SSLv3, MD2와 RSA 키 크기가 1024bit 미만인 경우를 기본으로 금지하고 있다.
• 원래 사용하면 안 좋은 것이니 사용하지 않는다.
• SSLv3, MD2와 RSA Keysize 1024bit 미만이 꼭 필요하다면 $JAVA_HOME/jre/lib/security/java.security 파일에서 다음을 주석처리한다.

  #jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
  #jdk.tls.disabledAlgorithms=SSLv3

• Arrrggh! java.security.cert.CertificateException: Certificates does not conform to algorithm constraints : Pragmatic Coder - Java, Wicket and the Web

• JavaPNS 사용시 SSL 인증서를 인식 못하는 문제가 있다.
• Java 2-way TLS/SSL (Client Certificates) and PKCS12 vs JKS KeyStores - Palomino Labs Blog 인증서 파일 포맷을 JKS 로 변경하면 잘 작동한다는 이야기
• Issue 165 - javapns - Java 7 compatibility - Apple Push Notification Service Provider for Java

  keytool -importkeystore -destkeystore CERTIFICATES.jks -srckeystore CERTIFICATES.p12 -srcstoretype PKCS12

• Bug ID: JDK-8013059 Diffie Hellman occasionally results in "invalid padding" exception
  • SSL intermittent problem when using DH-based ci... | Oracle Forums
  • I noticed that the bug suggested here (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=2222432) relates to the Diffie-Hellman key exchange, so I tried selecting a cipher which does not use Diffie-Hellman (-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256) and the problem went away. So I think we have a workaround.

• ssl - Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
• PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target.
• Unable to Connect to SSL Services due to PKIX Path Building Failed - Atlassian Knowledge Base

The source of this error on my Apache 2.4 instance (using a Comodo wildcard certificate) was an incomplete path to the SHA-1 signed root certificate. There were multiple chains in the issued certificate, and the chain leading to a SHA-1 root certificate was missing an intermediate certificate. Modern browsers know how to handle this, but Java 7 doesn't handle it by default (although there are some convoluted ways to accomplish this in code). The result is error messages that look identical to the case of self-signed certificates:

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
  ... 22 more

In this case, the “unable to find valid certification path to requested target” message is being produced due to the missing intermediate certificate. You can check which certificate is missing using SSL Labs test against the server. Once you find the appropriate certificate, download it and (if the server is under your control) add it to the certificate bundle. Alternatively, you can import the missing certificate locally. Accommodating this issue on the server is a more general solution to the problem.