SSl Handshake validation error in connection to SQL Server by JDBC driver

Question

I am trying to connect to SQL Server from linux using its latest JDBC driver in a spring boot application. When I use eclipse to run junit testcase, I get a "ssl handshake" error. When I run in command line using mvn everything is fine.

Do I miss something or make any mistake within my configuration:

@RunWith(SpringRunner.class)
@SpringBootTest
public class BarcodeRepositoryTest {

    @Autowired
    private BarcodeRepository addressRepository;

    @Test
    public void testFetchData() {
        List<Barcode> addresses = addressRepository.findAll();

        assertNotNull(addresses);
        assertNotEquals(0, addresses.size());
    }
}




spring.datasource.url=jdbc:sqlserver://[server]:1433;databaseName=ITTemp
spring.datasource.username=[username]
spring.datasource.password=[password]
spring.datasource.driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver
spring.jpa.show-sql=true
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.SQLServer2008Dialect
spring.jpa.hibernate.ddl-auto=none

Error Stacktrace:

Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1120) ~[na:1.8.0_172] at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1044) ~[na:1.8.0_172] at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:986) ~[na:1.8.0_172] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ~[na:1.8.0_172] ... 86 common frames omitted Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=SSL_Self_Signed_Fallback. Usage was tls server at sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:817) ~[na:1.8.0_172] at sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:419) ~[na:1.8.0_172] at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:167) ~[na:1.8.0_172] at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:332) ~[na:1.8.0_172] at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1116) ~[na:1.8.0_172]

I see this error when I run testcases from eclipse.

Answer 1

I encountered this same issue with SQL Server 2014 and Open JDK 11. I ultimately solved it by creating a self-signed certificate for the SQL Server 2014 instance by following the instructions:

https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-2014

This problem is because the default self-signed certificate generated by SQL Server uses one or more algorithms not allowed by the JDK when it tries to validate the certificate provided by the SQL Server instance. The key is to generate a new self-signed certificate (following the guidance above) that will be accepted by the JDK. Adding back in the disallowed algorithms will almost certainly result in opening yourself up to using weaker encryption.

Answer 2

It looks like incompatible SSL algorithms between client and server, see jdk.tls.disabledAlgorithms in $JAVA_HOME/jre/lib/security/java.security.

Is the java version on the server side the same as on the client side?