Tim,
Make sure you imported the CA certificate with the -trustcacerts option. If you do everything else correctly, and leave out this step, you'll see the problem you reported. I've tripped over that mistake once or twice. That's just a shot-in-the-dark as to what might be your problem, though.
-Eric.
Tim Wild wrote:
Thanks Michael. I have the CA cert and the chained CA certs in my <java_home>/jre/lib/security/cacerts file. That CA issued the server cert too. It all works fine when I use Mozilla.
I'm pretty sure it's a problem with certificate chaining, as when I use my own test CA, which doesn't have an intermediate CA.
I use a custom socket factory that works perfectly with my own test CA too, which I must get around to posting some time, once I work out the IP issues.
Any more thoughts or suggestions?
Thanks
Tim
----- Original Message ----- From: Michael Becke <[EMAIL PROTECTED]> Date: Tuesday, June 15, 2004 2:58 pm Subject: Re: Invalid RSA modulus size
for anHi Tim,
This generally means the the server's cert is signed by an untrusted CA. You can get around this in a couple of ways.
- import the servers cert into the keystore you are using
- implement a SSL socket factory that is not so picky about who signed the cert. This is not recommended for production use but can be useful for testing. Take a look at the EasySSLProtocolSocketFactory described in <" target="l">http://jakarta.apache.org/commons/httpclient/sslguide.html>
example.
- Sign your server cert with a CA that is trusted by JSSE. Please take a look at the JSSE docs for info about which CAs are trusted.
Mike
On Jun 14, 2004, at 10:19 PM, Tim Wild wrote:
Thanks for that Oleg. Using JDK 1.5.0b2 does indeed get past the "invalid modulus size" error. I've got another error messagenow:
"javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trustedcertificate
authorityfound".
My apache server has a certificate from a certification
called Digital Identity, in New Zealand. They have a rootcertificate
authority, then two sub-CAs (perhaps called chained CAs). Myserver
certificate and client certificate are chained under one ofthese
sub-CAs. When I use Mozilla it all works perfectly, it requeststhe
certificate, the browser presents it, and I can see the page I requested.above. I
When I try the same thing using Java I get the error message
have a keystore with just my client certiciate in it (nothingelse),
the same client certificate that works in Mozilla. I know it'sfinding
the certificate because i'm having Java print out the alias ofthe
certificate it's using. The CA certs are in the cacerts file ofthe
thoughts orJDK1.5 i'm using.
Does anyone have any idea why i'm getting this error? Any
ideas about how to go forward or things to investigate would be welcome.JCE/JSSE>> implementations which _may_ not exhibit the same limitation
Thanks
Tim
Oleg Kalnichevski wrote:
Tim,
This is believed to be a limitation of all Sun's JCE/JSSE
implementations up to Java version 1.5. You can try testing your
application with Java 1.5-b2 to see if the problem has indeed been
fixed. Alternatively consider using IBM Java 1.4 or 3rd party
requiresHTH
Oleg
On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
Hi,
I'm using HttpClient to connect to an apache server that
my owncertificates. When I use client and server certificates from
commercialCA with 1024 bit keys it works perfectly. When I get a
errorcertificate with a longer key (4096 bits), I get the following
subject(full message below) when I connect to apache:
javax.net.ssl.SSLProtocolException: java.io.IOException:
sizekey, Unknown key spec: Invalid RSA modulus size.
Google produced one result, which talked about a maximum key
files.using the JCE of 2048 bits using the JDK 1.4.2 default policy
so IAnother site suggested getting the unrestricted policy files,
differencegot and installed them, but it doesn't seem to make any
thoughs orat all.
Does anyone have any thought or suggestions? Half formed
------ideas are welcome as it might give me a lead that I can follow myself.
Thanks
Tim Wild
---------------------------------------------------------------
-----To unsubscribe, e-mail: [EMAIL PROTECTED]----------------------------------------------------------------
For additional commands, e-mail: [EMAIL PROTECTED]
----To unsubscribe, e-mail: [EMAIL PROTECTED]-----------------------------------------------------------------
For additional commands, e-mail: [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]-------------------------------------------------------------------
For additional commands, e-mail: [EMAIL PROTECTED]
--
To unsubscribe, e-mail: commons-httpclient-dev-
[EMAIL PROTECTED] additional commands, e-mail: [EMAIL PROTECTED]
Attention:
The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies.
Thank You.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
