Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Java and Old Hash Algorithms

Published: 2013-09-13
Last Updated: 2013-09-13 15:43:22 UTC
by Rob VandenBrink (Version: 1)
5 comment(s)

David, one of our readers, emailed wih a question - when he tries to interact with a particular print driver, he gets a Java error:

PKIX path validation failed:
java.security.cert.CertPathValidatorException:
Algorithm constraints check failed: MD2withRSA

This error comes up because as of Java 7, MD2 hashing and any RSA hash under 1024 bits are disabled.  Since this is a (very) old printer driver, the fact that it still uses MD2 is not a surprise - but what to do next?

OK - the obvious answer is to upgrade out of the problem - if the driver has an update, apply it.  But how do we get to the interface given the Java situation?  The answer is buried in the Java config files - - edit the file java.securty, which in Windows is found at: "C:\Program Files (x86)\Java\jre7\lib\security"

In this file, you'll find the line:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

Edit or comment out this line, and MD2 will work for you again. But don't leave it like this - this enables all those certs with weak hashes, which leaves you open to a world of hurt.  In this case, it gets you access back to the interface so you can upgrade to a newer version.  If there is no newer version, it gives you access until you can upgrade the hardware or app that's causing the problem.

===============
Rob VandenBrink
Metafore

Keywords:
5 comment(s)
Diary Archives