David, We have notified the SQL server admin to upgrade their key off SHA1. Prior to this, we thought we had something in NiFi that uses SHA1 as the log does not say where the issue is coming from.
Will find out soon for the next step when they are ready. Thanks, Martin. On 2023/08/23 15:41:59 David Handermann wrote: > Martin, > > Thanks for providing the detailed background. > > Based on the error message and configuration, it sounds like the MS > SQL server has a certificate signed with SHA-1. > > SHA-1 is not secure for cryptographic operations, provisioning a new > database server certificate and restoring the default Java security > policy is highly recommended. > > Regards, > David Handermann > > On Wed, Aug 23, 2023 at 10:34 AM Martin Fong <ma...@toronto.ca> wrote: > > > > We have an MS SQL connection that worked fine with RH7. > > > > Once we upgraded to RH9 and the crypto policies=DEFAULT > > (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/considerations_in_adopting_rhel_9/assembly_security_considerations-in-adopting-rhel-9) > > > > We are getting the following errors: > > > > Failed to establish Database Connection: java.sql.SQLException: Cannot > > create PoolableConnectionFactory ("encrypt" property is set to "true" and > > "trustServerCertificate" property is set to "true" but the driver could not > > establish a secure connection to SQL Server by using Secure Sockets Layer > > (SSL) encryption: Error: Certificates do not conform to algorithm > > constraints. ClientConnectionId:b844ea35-c351-43e7-8645-5c676d2b3cce) > > > > From the log java trace got this at the end: > > Caused by: java.security.cert.CertPathValidatorException: Algorithm > > constraints check failed on signature algorithm: SHA1withRSA > > > > We have searched many areas and found similar issue: > > https://github.com/keycloak/keycloak/issues/19185 > > > > People are saying to put SHA1 back to > > /etc/crypto-policies/back-ends/java.config > > > > When we set crypto policies = LEGACY, NiFi SQL connection worked again. > > Meaning SHA1 is back. > > > > We have set the following in NiFi: > > nifi.web.https.ciphersuites.include=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > > > > Also verified the keystore/truststore that NiFi uses is SHA256. > > > > The SQL driver we are using: mssql-jdbc-12.4.0.jre8.jar > > > > Is there a way to find out where that SHA1withRSA is coming from? > > > > Please advise, > > Martin Fong > > Enterprise Technical Support Specialist, Infrastructure & Platform (IAG) > > Technology Services Division, Technology Infrastructure Services > > City of Toronto > > 703 Don Mills Road, 2nd Floor > > Toronto, ON > > M3C 3N3 > > Tel: 416-397-7565 > > e-mail: martin.f...@toronto.ca<ma...@toronto.ca> > > > > This e-mail message is confidential and subject to copyright. Any > > unauthorized use or disclosure is prohibited. If you have received this > > email and are not the intended recipient, please advise and delete it. > > Thank you. > > >
