PM “Certificates do not conform to algorithm constraints”

I still use a couple of “end of life” X Edge firewalls at non critical sites.
After updating WSM from 12.5.1 to 12.6.1 I got the error “A connection could not be established to the Firebox. Failed to read servers response: Certificates do not conform to algorithm constraints.“ when trying to download/upload configurations.
I thought I’d share a solution if someone else run in to this issue.

Turned out the algorithms MD5 and MD5withRSA that these devices apparently use, is now deprecated and blocked.

If you can live with the security risks these algorithms has you can edit the file "C:\Program Files (x86)\Common Files\WatchGuard\java\jre11.0.4\conf\security\java.security"

Remove MD5 and MD5withRSA from the lines below and PM starts working again.

jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL

You will get the error “An error occurred while refreshing ´Front Panel´: java.lang.reflect.InvocationTargetException on the Front Panel tab in WSM but at least you can change configuration.

This tip comes without support, responsibility and is implemented at your own risk


Sign In to comment.