Hi Tim,
This generally means the the server's cert is signed by an untrusted CA. You can get around this in a couple of ways.
- import the servers cert into the keystore you are using
- implement a SSL socket factory that is not so picky about who signed the cert. This is not recommended for production use but can be useful for testing. Take a look at the EasySSLProtocolSocketFactory described in <http://jakarta.apache.org/commons/httpclient/sslguide.html> for an example.
- Sign your server cert with a CA that is trusted by JSSE. Please take a look at the JSSE docs for info about which CAs are trusted.
Mike
On Jun 14, 2004, at 10:19 PM, Tim Wild wrote:
Thanks for that Oleg. Using JDK 1.5.0b2 does indeed get past the "invalid modulus size" error. I've got another error message now: "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found".
My apache server has a certificate from a certification authority called Digital Identity, in New Zealand. They have a root certificate authority, then two sub-CAs (perhaps called chained CAs). My server certificate and client certificate are chained under one of these sub-CAs. When I use Mozilla it all works perfectly, it requests the certificate, the browser presents it, and I can see the page I requested.
When I try the same thing using Java I get the error message above. I have a keystore with just my client certiciate in it (nothing else), the same client certificate that works in Mozilla. I know it's finding the certificate because i'm having Java print out the alias of the certificate it's using. The CA certs are in the cacerts file of the JDK1.5 i'm using.
Does anyone have any idea why i'm getting this error? Any thoughts or ideas about how to go forward or things to investigate would be welcome.
Thanks
Tim
Oleg Kalnichevski wrote:
Tim,
This is believed to be a limitation of all Sun's JCE/JSSE implementations up to Java version 1.5. You can try testing your application with Java 1.5-b2 to see if the problem has indeed been fixed. Alternatively consider using IBM Java 1.4 or 3rd party JCE/JSSE implementations which _may_ not exhibit the same limitation
HTH
Oleg
On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
Hi,
I'm using HttpClient to connect to an apache server that requires certificates. When I use client and server certificates from my own CA with 1024 bit keys it works perfectly. When I get a commercial certificate with a longer key (4096 bits), I get the following error (full message below) when I connect to apache:
javax.net.ssl.SSLProtocolException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size.
Google produced one result, which talked about a maximum key size using the JCE of 2048 bits using the JDK 1.4.2 default policy files. Another site suggested getting the unrestricted policy files, so I got and installed them, but it doesn't seem to make any difference at all.
Does anyone have any thought or suggestions? Half formed thoughs or ideas are welcome as it might give me a lead that I can follow myself.
Thanks
Tim Wild
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
