Tim, I have had good results with IAIK JCE & SSL libraries. They are neither free nor open-source but seem just fine otherwise
http://jce.iaik.tugraz.at/products/index.php You'd still need to check with the IAIK's technical folks if their JCE implementation is capable of handling larger keys Hope this helps Oleg -----Original Message----- From: Tim Wild [mailto:[EMAIL PROTECTED] Sent: Thursday, June 17, 2004 1:43 To: Commons HttpClient Project Subject: Re: Invalid RSA modulus size Thanks for that Oleg, you were indeed correct. Using JDK1.4 I couldn't get this to work, but it worked pefectly on 1.5.0 beta 2. I had a few problems getting all my certificates in the right place, but in the end I got there. Eric, your -trustcacerts was helpful too, and thanks to everyone who made suggestions. We're using Sybase EAServer, and we're locked into using JDK 1.4.2_03. Because of this I think i'll need to look into 3rd party JSSE or JCE implementations. Bouncycastle is the only provider I know of, but they don't seem to support TLS. Google isn't helping me much here. Does anyone know of a suitable provider that might have a working version of JSSE/JCE? FYI the error i'm talking getting is: javax.net.ssl.SSLProtocolException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size. One tip I found: if you generate your private key using openssl, then get a certificate back from a CA, it can be hard to get this into your Java keystore. The only way I know to do it is to create a pkcs12 certificate containing both your public and private key, the using keytoolgui you have to use the "import key pair" option instead of using "import certificate". The java keytool can't do this because it doesn't understand pcsk12, and there's no way I could find to import a private key. The other option is to generate your private key using keytool, but it's difficult to get the private key out of the keystore. Incidentally keytoolgui has now been turned into a commercial product, but the old one still works if you can find it. I hope this helps someone, and I appreciate any suggestions anyone has about my problem. Tim Oleg Kalnichevski wrote: >Tim, > >This is believed to be a limitation of all Sun's JCE/JSSE >implementations up to Java version 1.5. You can try testing your >application with Java 1.5-b2 to see if the problem has indeed been >fixed. Alternatively consider using IBM Java 1.4 or 3rd party JCE/JSSE >implementations which _may_ not exhibit the same limitation > >HTH > >Oleg > >On Sat, 2004-06-12 at 05:36, Tim Wild wrote: > > >>Hi, >> >>I'm using HttpClient to connect to an apache server that requires >>certificates. When I use client and server certificates from my own CA >>with 1024 bit keys it works perfectly. When I get a commercial >>certificate with a longer key (4096 bits), I get the following error >>(full message below) when I connect to apache: >> >>javax.net.ssl.SSLProtocolException: java.io.IOException: subject key, >>Unknown key spec: Invalid RSA modulus size. >> >>Google produced one result, which talked about a maximum key size using >>the JCE of 2048 bits using the JDK 1.4.2 default policy files. Another >>site suggested getting the unrestricted policy files, so I got and >>installed them, but it doesn't seem to make any difference at all. >> >>Does anyone have any thought or suggestions? Half formed thoughs or >>ideas are welcome as it might give me a lead that I can follow myself. >> >>Thanks >> >>Tim Wild >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] *************************************************************************************************** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. *************************************************************************************************** --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
