在rocky8.5上,有个jdk8跑的程序连接windows上SQL Server2012失败了,环境如下:
[zcm@rocky microService]$ cat /etc/redhat-release Rocky Linux release 8.5 (Green Obsidian)
[root@rocky security]# java -version openjdk version "1.8.0_302" OpenJDK Runtime Environment (build 1.8.0_302-b08) OpenJDK 64-Bit Server VM (build 25.302-b08, mixed mode)
错误如下:
2023-12-17 16:10:44,813|INFO|org.quartz.core.QuartzScheduler|585|Scheduler quartzScheduler_$_NON_CLUSTERED paused.
2023-12-17 16:10:44,837|ERROR|com.alibaba.druid.pool.DruidDataSource|2787|create connection SQLException, url: jdbc:sqlserver://192.168.10.66:1433;databaseName=JTSZHManage;trustServerCertificate=true;Encrypt=true;, errorCode 0, state 08S01
com.microsoft.sqlserver.jdbc.SQLServerException: 驱动程序无法通过使用安全套接字层(SSL)加密与 SQL Server 建立安全连接。错误:“Certificates do not conform to algorithm constraints”。 ClientConnectionId:fffb7ce4-4898-4e9e-8abe-86f3750ff2dd
at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2998) ~[mssql-jdbc-8.2.0.jre8.jar!/:?]
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1884) ~[mssql-jdbc-8.2.0.jre8.jar!/:?]
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2558) ~[mssql-jdbc-8.2.0.jre8.jar!/:?]
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2216) ~[mssql-jdbc-8.2.0.jre8.jar!/:?]
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2067) ~[mssql-jdbc-8.2.0.jre8.jar!/:?]
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1204) ~[mssql-jdbc-8.2.0.jre8.jar!/:?]
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:825) ~[mssql-jdbc-8.2.0.jre8.jar!/:?]
at com.alibaba.druid.filter.FilterChainImpl.connection_connect(FilterChainImpl.java:156) ~[druid-1.2.4.jar!/:1.2.4]
at com.alibaba.druid.filter.stat.StatFilter.connection_connect(StatFilter.java:227) ~[druid-1.2.4.jar!/:1.2.4]
at com.alibaba.druid.filter.FilterChainImpl.connection_connect(FilterChainImpl.java:150) ~[druid-1.2.4.jar!/:1.2.4]
at com.alibaba.druid.pool.DruidAbstractDataSource.createPhysicalConnection(DruidAbstractDataSource.java:1654) ~[druid-1.2.4.jar!/:1.2.4]
at com.alibaba.druid.pool.DruidAbstractDataSource.createPhysicalConnection(DruidAbstractDataSource.java:1718) ~[druid-1.2.4.jar!/:1.2.4]
at com.alibaba.druid.pool.DruidDataSource$CreateConnectionThread.run(DruidDataSource.java:2785) [druid-1.2.4.jar!/:1.2.4]
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:1.8.0_302]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324) ~[?:1.8.0_302]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) ~[?:1.8.0_302]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262) ~[?:1.8.0_302]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) ~[?:1.8.0_302]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:1.8.0_302]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:1.8.0_302]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[?:1.8.0_302]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:1.8.0_302]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[?:1.8.0_302]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:1.8.0_302]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) ~[?:1.8.0_302]
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ~[?:1.8.0_302]
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) ~[?:1.8.0_302]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) ~[?:1.8.0_302]
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1802) ~[mssql-jdbc-8.2.0.jre8.jar!/:?]
... 11 more
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1427) ~[?:1.8.0_302]
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1352) ~[?:1.8.0_302]
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1296) ~[?:1.8.0_302]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:1.8.0_302]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:1.8.0_302]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:1.8.0_302]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[?:1.8.0_302]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:1.8.0_302]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[?:1.8.0_302]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:1.8.0_302]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) ~[?:1.8.0_302]
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ~[?:1.8.0_302]
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) ~[?:1.8.0_302]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) ~[?:1.8.0_302]
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1802) ~[mssql-jdbc-8.2.0.jre8.jar!/:?]
... 11 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=SSL_Self_Signed_Fallback
at sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:893) ~[?:1.8.0_302]
at sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:509) ~[?:1.8.0_302]
at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:252) ~[?:1.8.0_302]
at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:198) ~[?:1.8.0_302]
at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:292) ~[?:1.8.0_302]
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1423) ~[?:1.8.0_302]
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1352) ~[?:1.8.0_302]
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1296) ~[?:1.8.0_302]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:1.8.0_302]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:1.8.0_302]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:1.8.0_302]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[?:1.8.0_302]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:1.8.0_302]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[?:1.8.0_302]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:1.8.0_302]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) ~[?:1.8.0_302]
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ~[?:1.8.0_302]
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) ~[?:1.8.0_302]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) ~[?:1.8.0_302]
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1802) ~[mssql-jdbc-8.2.0.jre8.jar!/:?]先
先说明下数据库连接的配置:
datasource:
type: com.alibaba.druid.pool.DruidDataSource
driverClassName: com.microsoft.sqlserver.jdbc.SQLServerDriver
druid:
master:
url: jdbc:sqlserver://192.168.110.999:1433;databaseName=xxxx;trustServerCertificate=true;Encrypt=true;
username: 111
password: 111111
最终通过以下方案解决:
https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8
# update-crypto-policies --set LEGACY
- CertPathValidatorException security java certcertpathvalidatorexception security java cert certpathvalidatorexception invalidkeyexception security illegal java java security镜像 邮件 invalidkeyexception security java messagedigest 20230711 security java invalidkeyexception java security illegal cert cert-manager certs