Aladin Astronomy Software - Java Problem

eve7 · December 14, 2021, 9:41am

Hey all,

I am running Fedora 35 Workstation. I have downloaded
java-1.8.0-openjdk.x86_64 and
java-11-openjdk.x86_64 to run Aladin Software.

My question is kind of exactly the same question given by this:
https://discussion.fedoraproject.org/t/java-crypto-policies-aladin-sky-atlas/60062

My error is something like this:

Aladin is developed by Pierre Fernique, Thomas Boch, Anaïs Oberto, François Bonnarel and Chaitra
  (c) 2020 Université de Strasbourg/CNRS - developed by CDS, distributed under GPLv3
Your JVM release is java 11.0.13 / Red Hat, Inc.
Caching not available for [https://vizier.cds.unistra.fr/viz-bin/asu-xml/V1.1?-meta.aladin=all] !!!
metaDataQuery : javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1426)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1336)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)
	at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:572)
	at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1592)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520)
	at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250)
	at cds.tools.Util.openConnectionCheckRedirects1(Util.java:277)
	at cds.tools.Util.access$000(Util.java:126)
	at cds.tools.Util$OpenConnection.run(Util.java:254)
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1681)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1606)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1550)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
	... 19 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
	at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1677)
	... 22 more
VizieR meta query error javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints

The given answers to that problem suggests to change the crypto-policies, however I do not want to to that for the security reasons. So is there any other way to solve the problem…? Is it safe to change the crypto-policies …?

alciregi · December 14, 2021, 10:46am

You have two choices:

change the crypto-policies on your system, yes^[1]
ask to and hope that Aladin folks deploy a more modern certificate

for the security reasons: it doesn’t expose your system to external attacks, but it simply allow to accept less secure certificates signed with deprecated and weak algorithms. If you are concerned, the alternative you have is to not use sites and services that provides such certificates. ↩︎

eve7 · December 14, 2021, 3:23pm

Well I’ll try to contact with them. Hope they can manage to change something…

eve7 · December 15, 2021, 3:04pm

Hey again, I have asked them, however no reply so far. I wonder if the problem cannot be due to my browser or browser settings, right?