0

My website is hosted on Amazon. It is built on the microsoft version of java 1.4.2_13. I noticed emails were not going out. I had not made any changes to the code. I found this document on amazon's site and followed their directions to find out that our java environment did not pass the test. So, I imported the new ssl root certificate. I can verify that it is in the keystore, but I get the following error message when I run their shaTest and emails are still not being sent. Any help is appreciated. Thanks!

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate signature validation failed
    at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect (Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
    at java.net.URLConnection.getContent(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getContent(Unknown Source)
    at java.net.URL.getContent(Unknown Source)
    at ShaTest.main(ShaTest.java:11)
Caused by: sun.security.validator.ValidatorException: Certificate signature validation failed
    at sun.security.validator.SimpleValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown Source)
    ... 14 more
Caused by: java.security.NoSuchAlgorithmException: 1.2.840.113549.1.1.11 Signature not available
    at java.security.Security.getEngineClassName(Unknown Source)
    at java.security.Security.getEngineClassName(Unknown Source)
    at java.security.Security.getImpl(Unknown Source)
    at java.security.Signature.getInstance(Unknown Source)
    at sun.security.x509.X509CertImpl.verify(Unknown Source)
    at sun.security.x509.X509CertImpl.verify(Unknown Source)
    ... 18 more
Vida
  • 3
  • 1
  • 3
  • Welcome to StackOverflow. Please take care when adding code to make sure it's formatted correctly as a code block. Four spaces are required at the beginning of ever line to place code in a code block. Simplest is to select all the code then click the "Code" button in the toolbar. – Cindy Meister Jan 29 '16 at 19:23
  • Thanks Cindy! Yes, I'm new here. – Vida Jan 29 '16 at 19:28
  • Check if [this](http://stackoverflow.com/questions/6365209/java-and-ssl-java-security-nosuchalgorithmexception) helps. Generally speaking, it means that the installed version of Java lacks libraries. Bouncycastle or something alike not included, perhaps? – Alfabravo Jan 29 '16 at 19:35
  • Can you turn on debugging and post the result here? For Sun's JVM, you can turn on debugging by passing the java executable the option -Djavax.net.debug=all – Rodrigo Murillo Jan 29 '16 at 19:40

1 Answers1

3

Java itself got SHA256 support in 1.4.2, but the Microsoft Java may not- especially because it's been discontinued for a long time. You might be able to use bouncycastle.

Note Java 1.4 came out in 2002. That's 14 years ago. That should be a huge red flag; I wouldn't run that on any machine connected to the Internet.

tedder42
  • 23,519
  • 13
  • 86
  • 102
  • Unfortunately, I am stuck with this version of java. I will look at bouncycastle to see if I can use it. Was there anything worth paying attention to in the debug output I posted. Sorry, I'm new to SSL. – Vida Jan 29 '16 at 23:02
  • NoSuchAlgorithm is interesting, you might find a workaround [here](https://stackoverflow.com/questions/16435654/keytool-error-importing-ssl-certificate-into-j9-keystore). Basically security is evolving, even java7 isn't capable of supporting some of the modern TLS-only policies. – tedder42 Jan 29 '16 at 23:06