HTTPS modules fail because of algorithm constraints

Description

We have a node with HTTPS service, which OPEN sees it down, because of certificate issue. We have just upgraded from 1.10.3 to 1.12.5 and this problem has appeared.

Here you are what we see in poller.log.

2014-04-09 15:21:47,811 WARN [Poller-Thread-13-of-30] HttpsMonitor: IOException while polling address /192.168.121.1
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.OutputStream.write(OutputStream.java:75)
at org.opennms.netmgt.poller.monitors.HttpMonitor$HttpMonitorClient.sendHttpCommand(HttpMonitor.java:538)
at org.opennms.netmgt.poller.monitors.HttpMonitor.poll(HttpMonitor.java:151)
at org.opennms.netmgt.poller.pollables.LatencyStoringServiceMonitorAdaptor.poll(LatencyStoringServiceMonitorAdaptor.java:104)
at org.opennms.netmgt.poller.pollables.PollableServiceConfig.poll(PollableServiceConfig.java:112)
at org.opennms.netmgt.poller.pollables.PollableService.poll(PollableService.java:178)
at org.opennms.netmgt.poller.pollables.PollableElement.poll(PollableElement.java:292)
at org.opennms.netmgt.poller.pollables.PollableContainer$5.run(PollableContainer.java:305)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:263)
at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:249)
at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:227)
at org.opennms.netmgt.poller.pollables.PollableContainer.poll(PollableContainer.java:312)
at org.opennms.netmgt.poller.pollables.PollableInterface.poll(PollableInterface.java:205)
at org.opennms.netmgt.poller.pollables.PollableContainer$5.run(PollableContainer.java:305)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:263)
at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:249)
at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:227)
at org.opennms.netmgt.poller.pollables.PollableContainer.poll(PollableContainer.java:312)
at org.opennms.netmgt.poller.pollables.PollableNode$3.run(PollableNode.java:303)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:263)
at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:249)
at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:227)
at org.opennms.netmgt.poller.pollables.PollableNode.doPoll(PollableNode.java:306)
at org.opennms.netmgt.poller.pollables.PollableElement.doPoll(PollableElement.java:183)
at org.opennms.netmgt.poller.pollables.PollableService.doPoll(PollableService.java:211)
at org.opennms.netmgt.poller.pollables.PollableService$PollRunner.run(PollableService.java:57)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:263)
at org.opennms.netmgt.poller.pollables.PollableElement.withTreeLock(PollableElement.java:249)
at org.opennms.netmgt.poller.pollables.PollableService.doRun(PollableService.java:383)
at org.opennms.netmgt.poller.pollables.PollableService.run(PollableService.java:364)
at org.opennms.netmgt.scheduler.Schedule.run(Schedule.java:135)
at org.opennms.netmgt.scheduler.Schedule$ScheduleEntry.run(Schedule.java:80)
at org.opennms.netmgt.scheduler.LegacyScheduler$1.run(LegacyScheduler.java:201)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.opennms.core.concurrent.LogPreservingThreadFactory$3.run(LogPreservingThreadFactory.java:107)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:946)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:872)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:814)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 48 more

Could you help us?

Thanks in advance.

Kind Regards.

Environment

Java Version: 1.7.0_51 Oracle Corporation Java Virtual Machine: 24.51-b03 Oracle Corporation OpenNMS Version: 1.12.5

Acceptance / Success Criteria

None

Attachments

Lucidchart Diagrams

Activity

Show:

Seth Leger April 10, 2017 at 10:37 AM

PR has been squashed and merged, marking as fixed.

commit fead446e74024c240fefeedf0208cb27fb8fe487

Ron Roskens March 24, 2017 at 3:31 PM

Pull Request: https://github.com/OpenNMS/opennms/pull/1397

Ron Roskens February 15, 2017 at 11:25 PM

I've added a RelaxedX509EnhancedTrustManager to a branch in OpenNMS (jira/) based off 19.0.0.

The artifacts from the build are at http://bamboo.internal.opennms.com:8085/browse/OPENNMS-ONMS1317-5/artifact.

The build passes all unit-tests, but I haven't had a chance to install the RPMs or DEBs on a system and test out that HttpsMonitor is able connect to older systems regardless of which algorithms are used when connecting.

I would also like to get this tested out against an older JVM for JMX datacollection. So have servers running Java 6 and Java 7 both with JMX enabled, and have OpenNMS pull stats from those servers.

Ron Roskens February 2, 2017 at 12:37 PM

I'm running into this issue running OpenNMS 18.0.3 on JDK 1.8.0_112 when connecting to some older webservers that only have TLS1.0 using the HttpsMonitor.

Alexander Hoogerhuis April 11, 2014 at 10:01 AM

Have a look at this one:
http://stackoverflow.com/questions/14149545/java-security-cert-certificateexception-certificates-does-not-conform-to-algori

Fixed

Details
Assignee
Ron Roskens
Reporter
CST Soporte
Labels
pollersupport
Components
Sprint
None
Fix versions
19.1.0
Affects versions
1.12.5
18.0.3
Priority
Minor

PagerDuty

Created April 9, 2014 at 10:35 AM

Updated April 10, 2017 at 2:33 PM

Resolved April 10, 2017 at 10:37 AM

Configure

HTTPS modules fail because of algorithm constraints

Description

Environment

Acceptance / Success Criteria

Attachments

Lucidchart Diagrams

Activity

Seth Leger April 10, 2017 at 10:37 AM

Ron Roskens March 24, 2017 at 3:31 PM

Ron Roskens February 15, 2017 at 11:25 PM

Ron Roskens February 2, 2017 at 12:37 PM

Alexander Hoogerhuis April 11, 2014 at 10:01 AM

DetailsAssigneeRon RoskensRon RoskensReporterCST SoporteCST SoporteLabelspollersupportComponentsSprintNone+1Fix versions19.1.0Affects versions1.12.518.0.3PriorityMinor

Details

Assignee

Reporter

Labels

Components

Sprint

Fix versions

Affects versions

Priority

PagerDutyPagerDuty Incident

PagerDuty

Details
Assignee
Ron Roskens
Reporter
CST Soporte
Labels
pollersupport
Components
Sprint
None
Fix versions
19.1.0
Affects versions
1.12.5
18.0.3
Priority
Minor

PagerDuty