JDK-8166362 : [TEST_BUG] test sun/net/www/http/HttpClient/B8025710.java failing with cert error in 8u121 b01
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u131,8u121
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2016-09-20
  • Updated: 2018-03-21
  • Resolved: 2017-03-20
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 Other
7u171Fixed 8u161 b01Fixed openjdk7uFixed
Related Reports
Duplicate :  
JDK-8174031 - sun/net/www/http/HttpClient/B8025710 fails with jdk8u121
Relates :  
JDK-8148516 - Increase the minimum strength of EC keys
Relates :  
JDK-8140422 - Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
Description
The test  sun/net/www/http/HttpClient/B8025710.java started failing in 8u121 nightly after new ec key restrictions introduced in bug JDK-8148516.

Exception:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
	at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
	at B8025710$HttpServer.run(B8025710.java:296)
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1511)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316)
	at sun.net.www.protocol.http.HttpURLConnection.access$100(HttpURLConnection.java:91)
	at sun.net.www.protocol.http.HttpURLConnection$8.run(HttpURLConnection.java:1283)
	at sun.net.www.protocol.http.HttpURLConnection$8.run(HttpURLConnection.java:1281)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1280)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
	at B8025710.runTest(B8025710.java:84)
	at B8025710.main(B8025710.java:50)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.sun.javatest.regtest.agent.MainActionHelper$SameVMRunnable.run(MainActionHelper.java:226)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
	at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1117)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1043)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:985)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1493)
	... 25 more


Need to regenerate certificate used in tests based on new key restrictions introduced.
Comments
For now, we can fix this by resetting the tls/certpath constraints. Another bug should track efforts to update the certs used in JDK 8u and earlier releases. @@ -47,6 +48,9 @@ private static final String passphrase = "passphrase"; public static void main(String[] args) throws Exception { + // test uses legacy MD5 based cert + Security.setProperty("jdk.certpath.disabledAlgorithms", ""); + Security.setProperty("jdk.tls.disabledAlgorithms", ""); new B8025710().runTest();
20-03-2017
To fix this bug, the add the certificate the SHA256withECDSA certificate (dummyecdsa) in jdk9 from the truststore and keystore at /jdk/test/javax/net/ssl/etc/. However that will case at least two SSL tests to fail: javax/net/ssl/ciphersuites/DisabledAlgorithms.java, with no appropriate protocol error, and sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java, with a handshake failure. This is somehow still certificate related the addition of the new certificate because they do not fail before the cert was added. Many of these certs need to be examined because of expiration and algorithm constraints, so I and not fixing the B8025710 test failure and putting it on the problem list.
16-03-2017