<OpenSSL::SSL::SSLError: Certificates do not conform to algorithm constraints>,

Nikhitha_Karennagari · October 10, 2022, 6:53am

Getting the below error when trying to connect to remote syslog server using ssl-tcp protocol.

SSL Error {:exception=>#<OpenSSL::SSL::SSLError: Certificates do not conform to algorithm constraints>, :backtrace=>['org/jruby/ext/openssl/SSLSocket.java:265:in `connect'', '/opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-syslog-3.0.5.E001/lib/logstash/outputs/syslog.rb:223:in `connect'', '/opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-syslog-3.0.5.E001/lib/logstash/outputs/syslog.rb:187:in `publish'', '/opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-codec-plain-3.1.0/lib/logstash/codecs/plain.rb:59:in `encode'', '/opt/logstash/logstash-core/lib/logstash/codecs/delegator.rb:48:in `block in encode'', 'org/logstash/instrument/metrics/AbstractSimpleMetricExt.java:65:in `time'', 'org/logstash/instrument/metrics/AbstractNamespacedMetricExt.java:64:in `time'', '/opt/logstash/logstash-core/lib/logstash/codecs/delegator.rb:47:in `encode'', '/opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-syslog-3.0.5.E001/lib/logstash/outputs/syslog.rb:147:in `receive'', '/opt/logstash/logstash-core/lib/logstash/outputs/base.rb:105:in `block in multi_receive'', 'org/jruby/RubyArray.java:1820:in `each'', '/opt/logstash/logstash-core/lib/logstash/outputs/base.rb:105:in `multi_receive'', 'org/logstash/config/ir/compiler/OutputStrategyExt.java:143:in `multi_receive'', 'org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:121:in `multi_receive'', '/opt/logstash/logstash-core/lib/logstash/java_pipeline.rb:295:in `block in start_workers'']}

Any suggestions on how to solve the below error. I am using java 11.

Badger · October 10, 2022, 3:53pm

You can examine the certificates that the syslog server is presenting by using

openssl s_client -showcerts -connect <server>:<port>

Then look for jdk.certpath.disabledAlgorithms in the java.security file that you are using. My /usr/share/logstash/jdk/conf/security/java.security has

jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

Nikhitha_Karennagari · October 11, 2022, 4:29am

Thank you @Badger , Will get back after verifying.

Nikhitha_Karennagari · October 13, 2022, 6:22am

Hi @Badger ,
Getting the below error when trying to check the certs with openssl command.

139755014403904:error:0200206F:system library:connect:Connection refused:crypto/bio/b_sock2.c:110:
139755014403904:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
connect:errno=111

Also this is the content of security file

#   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \

Badger · October 13, 2022, 4:01pm

That would suggest that either the server is not listening or a firewall is blocking the request.

system · November 10, 2022, 4:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.