LDAPS Connection Problem

totzkotz · May 18, 2021, 10:33am

I got this Exception:

CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate:...

I think the cert (i can not change it) which comes from an read only DC is using only 1024 bit encryption.
I tried to set the parameters:

-Djava.security.debug=certpath

on OPENFIRE_OPTS
and

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
jdk.tls.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024

jdk.security.legacyAlgorithms=SHA1, MD5, RSA keySize < 1024, DSA keySize < 2048

in the jvm’s java.security file with no luck.

After enabling ldap.debugEnabled i can see in …/logs/nohup.out the following line:

certpath: Constraints: RSA keySize < 2048

So the problem is, i can not connect via ldaps to dc… ldap without ssl works.

OS: RHEL 8.3
OF: 4.7 Master, OpenJDK 11
LDAP-Server: Windows Server 2012 R2

totzkotz · May 19, 2021, 9:17am

I solved the problem:

in java.security file was a parameter

security.useSystemPropertiesFile=true

so a second file /etc/crypto-policies/back-ends/java.config was loaded and overrided the params in java.security

so i could set security.useSystemPropertiesFile to false or change
param

jdk.certpath.disabledAlgorithms

in file

/etc/crypto-policies/back-ends/java.config