« Groovy 1.7.4 and 1.8.0-Beta 1 Released | Main | Apache Tomcat 6.0.29 Released Today »

07/23/2010

Java's Recent SSL Problems

This ultimately adds more fodder for my recent post regarding SSL but Oracle seems to be having a few problems with SSL and TLS too lately.  Outside of disabling TLS Renegotiation in Java 1.6 Update 19, which has the potential to cause us quite a few headaches, Update 19 also broke a lot of ssl connections that utilized perfectly valid ssl certificates signed using the older MD2/MD5 root certificates.  Java applications typically would see exceptions like this one in their logs for this particular bug:

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: algorithm check failed: MD2withRSA is disabled

Fortunately for me, at least, this didn't cause too many issues for my site's customers and the issue finally appears to be fixed in Update 21 but, boy, Update 19 sure wasn't a very pleasant update for me professionally.  My gentle reminder to anyone running JVMs is do not enable that Automatic Update option on your servers or important client systems and read those release notes very carefully!

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01156fbc6fe6970c0134859aa06b970c

Listed below are links to weblogs that reference Java's Recent SSL Problems:

Comments