Java 7 Handshake error
Brett
via web
I've been using an older version of Moneydance to connect to online banking at PNC Bank. I tried to connect today to download transactions, and got an error about SSL Hnadshake. I poked around a bit on Infinite Kind and it seemed like some people had the problem a while back with TD Bank, and an upgrade of Moneydance solved it. So I just bought the upgrade, installed it, and now I'm getting exactly the same error (see below). Any ideas? I would really like to be able to continue to use Moneydance for banking, since it has served me well for years.
A communication or parsing error occurred. This could be the
result of a network problem, a proxy error, or misconfigured
server.
Error Description: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificates does not
conform to algorithm constraints
Support Staff 2 Posted by Jessica Little on 20 Sep, 2011 03:03 PM
Hi Brett,
You may need to recreate your connection to clear this error. To do so, you can follow these steps:
1) Select your bank account in Moneydance
2) Select the Online->Setup Online Banking button/menu
3) Click the Disable button. If you don't see a disable button, continue to step 5.
4) Select the Online->Setup Online Banking button/menu (again)
5) Click the New Connection button and select your bank from the list of available institutions that pops up. Hit OK
6) Continue with the setup process, entering your username/password
7) Repeat steps 1-6 for any additional accounts
Make sure you pick new connection, even though your bank is still one of the connection choices after you disable it. Choosing your bank from the list of available banks will force Moneydance to download the updated information, which should then allow you to connect.
Please let me know if you continue to have connection problems after recreating your connection.
Jessica Little
Moneydance Support
3 Posted by Brett on 20 Sep, 2011 03:41 PM
After Step 5, when I pick PNC Bank via the "Financial Institution" pulldown, I get an error dialog:
I'm sorry, an error occurred: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
4 Posted by Brett on 20 Sep, 2011 03:45 PM
Further background that you might want:
My account is enabled for Quicken access, I confirmed that via the PNC website last night.
I was able to download transactions a few days ago using the older version of Moneydance, as I have been doing for years. Starting yesterday, that no longer worked, and upgrading to the newest version gives the same error.
I'm using Windows XP, Java Version: 1.7.0. Moneydance 2011 (791)
Support Staff 5 Posted by Jessica Little on 20 Sep, 2011 08:23 PM
Hi Brett,
It seems like Moneydance is having trouble forgetting your old connection information. To fix this, you'll need to force clear the current connection information for your bank in Moneydance. I'm sending a file called remove_one_service.py that will help do that. Before proceeding, please back up your Moneydance file, just in case something goes wrong. So far, this hasn't caused any problems, but better safe than sorry!
To use the file, first save it to your computer and then follow these steps:
1) In Moneydance, click on the Extensions Menu and choose the Add... option
2) In the window that pops up, make sure the From Internet option is selected and then click next.
3) From the list of available extensions, choose the python scripting interface extension, then click Next to download the extension and finish to complete the installation.
4) Again, click the Extensions menu. This time, choose the Python Interface option.
5) In the python scripting window, click the read from file button and load the file from whereever you saved it. You will be asked to select which connection you want to clear. Choose your bank, and click OK. You'll get a confirmation message when the connection has been removed. Close the window when done.
6) Set up the connection to your bank like normal. Since all of your settings have been cleared, you should get the most recent connection information for your bank.
Hopefully, that will work. If it doesn't, let me know and we'll continue troubleshooting.
Jessica Little
Moneydance Support
6 Posted by Brett on 20 Sep, 2011 10:02 PM
Same exact error after using the python script to remove the existing info. Here is some more info from the Moneydance console:
setStatus(Retrieving financial institution profile..., -1.0)
warning: unable to refresh FI info from moneydance.com. error: java.lang.Exception: Got non-OK response when querying FI info: 404
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
(followed by a big long stack dump, which I'm happy to post if it is useful)
Support Staff 7 Posted by Jessica Little on 21 Sep, 2011 03:13 PM
Hi Brett,
If you would be willing, could you send me the contents of your error console? Here's how to get the logs:
1) In Moneydance, click on the Help menu and select the Console Window option. This will open the console messages window.
2) While the Console Window is open, attempt to connect to your bank. Any error messages should be recorded to the Console.
3) Select all of the text in the Console and use the Copy to Clipboard button at the bottom to copy the text.
4) Paste the text from the message window into a text file (preferably saved with a .txt or .rtf extension) and attach that file to your response here.
The debugging logs that this produces will contain your account information. I've made sure that this conversation is private, so the info won't be broadcast to the world, but just to be safe you should redact any account info in the debug logs. Just replace it with something like ACCOUNT NUMBER HERE and it should be fine.
Jessica Little
Moneydance Support
8 Posted by hleofxquotes on 22 Sep, 2011 12:11 AM
I've seen this error before with Java 1.7 (in other Java context not by using MoneyDance). Try Java 1.6 and see if that will work-around the error. I can give a more technical explanation (related to certificate and SSL) if needed.
9 Posted by Brett on 22 Sep, 2011 03:52 AM
hleofxquotes: Do you know how to make Moneydance use an older version of Java? I disabled 1.7 from the Java control panel, but that didn't work, even after I killed all the running java processes (java, javaw, jqs). Then I uninstalled 1.7, but Moneydance console still claims to be using 1.7, not sure where it is getting it from.
10 Posted by Brett on 22 Sep, 2011 04:31 AM
hleofxquotes: Turns out I had to uninstall the 1.7 JDK as well, even though the Java control panel didn't seem to know about it. Anyway, now that Moneydance is using version 1.6.0_24, things work again. Thanks.
Jessica: since the 1.7 JRE seems to be the issue for this problem (since the exact same code works running under 1.6), any thoughts on a fix so I can use 1.7 again? If you want additional debugging info, I can try reinstalling 1.7 and generating a log, but it may be a few days until I have time to do that.
11 Posted by hleofxquotes on 22 Sep, 2011 06:55 PM
Actually, since I open this can-of-worm, let me try to clarify. It was not something MoneyDance does; it is an additional check that JDK 1.7 performed when it interacted with PNC's certificate.
This error is related to a change on JDK 1.7 to add an additional check to the certificate chain. 1.7 will error out if any of the certificate along the chain use an algorithm that is deem no longer safe. Out of the box, JDK 1.7 has MD2 in that unsafe list.
For PNC (https://www.oasis.cfree.com/..), the certificate chain has certificate by Verisign that is using MD2. And therefore JDK 1.7 rejects the certificate.
cert-3.pem-text.txt: Signature Algorithm: md2WithRSAEncryption
cert-3.pem-text.txt: Public Key Algorithm: rsaEncryption
cert-3.pem-text.txt: Signature Algorithm: md2WithRSAEncryption
subject= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
The right fix really is for the bank of get a new certificate that does not have MD2 in its chain. Good luck in trying to explain that to PNC ;-).
I think there is a system property that can be used to manage the disable-algo list but I have never tried it:
jdk.certpath.disabledAlgorithms=MD2
See the ./jre/lib/security/java.security file
Reference:
. http://download.oracle.com/javase/7/docs/technotes/guides/security/... . http://www.docjar.com/html/api/sun/security/ssl/SSLContextImpl.java... . http://www.docjar.com/html/api/sun/security/provider/certpath/Algor...
12 Posted by Brett on 23 Sep, 2011 04:20 AM
Excellent explanation, thanks. Looks like something other PNC/Moneydance users will run into if they update to 1.7. I wonder if there is a way for Moneydance to programmatically disable the MD2 "unsafeness" setting. Fiddling java.security files is probably more advanced than most users would want to get, although I may give it a shot when I have time (I'm a programmer, so I'm not "most users").
Support Staff 13 Posted by Jessica Little on 23 Sep, 2011 01:57 PM
Eck...thanks for the detailed explanation, hleofxquotes. It would have taking me much more digging to finally get there. I'll look into what we can do in Moneydance to work around this, as the chances of PNC or any other bank getting a better certificate are small.
Jessica Little
Moneydance Support
14 Posted by Brandon on 12 Oct, 2011 02:48 PM
Jessica, do you have any updates on this issue?
Support Staff 15 Posted by Jessica Little on 15 Oct, 2011 01:54 PM
Hi Brandon,
None yet. We're still trying to figure out the best way to fix the problem. In the meantime, I'd recommend downgrading to Java 6 if you can, since this is a Java 7 related bug.
Jessica Little
Moneydance Support
16 Posted by Brandon Carlson on 15 Oct, 2011 02:33 PM
We are manually downloading the OFX files from the PNC site &
importing until you have a fix. Thanks.
17 Posted by Brett on 02 Jan, 2012 04:24 PM
Was this ever resolved? I'd really like to be able to upgrade to the newer Java releases.
Support Staff 18 Posted by Jessica Little on 02 Jan, 2012 05:29 PM
Hi Brett,
Not yet. We've been focused on getting a new version of the iPhone app out recently. However, this bug has top priority to get fixed for our next release. We'll update here when it's out.
Jessica Little
Moneydance Support
19 Posted by Brandon Carlson on 04 Jan, 2012 08:52 PM
Hi Jessica & Brett,
Thanks for the reply. I have other issues w/ rolling back to Java 6. The
work around we are using now by downloading the OFX files; while it's
inconvenient, is working nicely for now.
Have a Great Day
Brandon
20 Posted by Brett on 07 Jan, 2012 02:08 AM
After a bit of messing about, I discovered that you can make Moneydance run with a particular version of Java by doing this:
1) start a cmd.exe window (start/run cmd.exe)
2) cd to the moneydance directory (where moneydance.exe and moneydance.jar are located)
3) do: "c:\Program Files (x86)\Java\jre6\bin\java.exe" -jar moneydance.jar
The path for Java will depend on where you've installed Java 6 and what version of Windows you are running, but this works for me. And because it is running Java 1.6, the connection to PNC works.
I put it in a batch file called "Moneydance.bat" in the Moneydance directory, and I can now just run that batch file to start things up so they work.
21 Posted by Brandon Carlson on 09 Jan, 2012 01:03 AM
Brett,
Thanks. I will try this tomorrow morning when I am more awake & give you a
report of the results.
Have a Great Day!
Brandon
22 Posted by Brandon Carlson on 14 Jan, 2012 02:03 AM
I got a little stuck on step thee. Also, what is the contents of the batch
file Moneydance.bat ?
23 Posted by Brett on 16 Jan, 2012 04:53 AM
The batch file should just contain the line to start Moneydance via the java executable. In my case, on a Windows 7 64-bit system:
"c:\Program Files (x86)\Java\jre6\bin\java.exe" -jar moneydance.jar
You system may have java.exe in a different location, so you will need to check it to see where it is.
However, I tried this with Moneydance 2011, and it doesn't seem to work. It started properly with older versions of Moneydance, but not with the current release.
For the Moneydance folks:
It really seems like it should be possible to tell Moneydance.exe which version of Java to use. EXE4J (which is what I think you use to build Moneydance.exe) should be able to pay attention to environment variables to specify the location of Java, but they don't seem to work for Moneydance. It would be great if you could at least make that work in the next release, so there was a clean way to make Moneydance run with a specific Java version.
Support Staff 24 Posted by Jessica Little on 17 Jan, 2012 01:11 PM
Hi Brett,
Thanks for the catch. I'll look into the problem with the install system as well as fixing the bug so that you don't need to run Moneydance with a different version of Java.
Jessica Little
Moneydance Support
Support Staff 25 Posted by Jessica Little on 11 May, 2012 12:55 PM
Hi All,
While testing a fix for this issue, I noticed that some banks seem to have resolved the problem. I suspect that what actually happened is that a Verisign intermediate certificate was actually to blame, which appeared as a number of banks having insecure certs.
How many people are still having this problem with Java 7? Also, what banks are still showing this error?
Jessica Little
Moneydance Support
26 Posted by Jim on 13 May, 2012 05:03 AM
I'm still having the problem with American Express.
27 Posted by Brandon Carlson on 17 May, 2012 11:53 AM
Hi Jessica,
It appears that you've made some progress to resolve my original
issue/problem w/ PNC and Moneydance.
I have some time this afternoon. Can you please summarize what I need to do
in order to get where you are. Remember, I am not THE most technically
proficient person, however, I do manage technical systems analysts,
software developers, & QA Testers. So you don't to completely dumb it down.
I'll ask if there is something I don't understand.
Kind Regards ,
28 Posted by Mike P on 17 May, 2012 03:00 PM
Hi Jessica -
I'm having the problem with FifthThird. Is there an easier fix to this issue yet?
Thanks
29 Posted by Jim on 17 May, 2012 03:15 PM
I just updated my Java from "7 update 3" to "7 update 4" and that fixed my problem with American Express. Ensure you have the latest Java, maybe that will fix it for you too.
Support Staff 30 Posted by Jessica Little on 21 May, 2012 12:38 PM
Hi Jim,
Thanks for that catch! Can others confirm/deny whether or not updating to Java 7u4 resolves the issue for them?
Jessica Little
Moneydance Support