Hi Laurent,
Laurent Garrigues wrote:
> keytool -genkey -v -alias serverX -dname "CN=serverX,OU=IT,O=JPC,C=GB"
> -keypass password -keystore serverX.jks -storepass password -keyalg "RSA"
> -sigalg "MD5withRSA" -keysize 2048 -validity 3650
I'd suggest using SHA1withRSA instead of MD5withRSA, since there have
been known exploits against MD5.
Just to clarify for the rest of your experiment, since you're testing
using localhost, the DN must be something like "CN=localhost,...".
> keytool -export -v -alias serverX -file serverX.cer -keystore serverX.jks
> -storepass password
>
> sudo keytool -delete -alias serverX -file serverX.cer -keystore
> "/usr/lib/jvm/java-6-sun/jre/lib/security/cacerts" -storepass "changeit"
>
> sudo keytool -import -alias serverX -file serverX.cer -keystore
> "/usr/lib/jvm/java-6-sun/jre/lib/security/cacerts" -storepass "changeit"
> ******************************************
>
> On my server I have this line for configuring the https :
>
>
> *******************************************************************
>
> System.setProperty("javax.net.ssl.trustStore","/usr/lib/jvm/java-6-sun/jre/lib/security/cacerts");
> System.setProperty("javax.net.ssl.trustStorePassword","changeit");
You don't really need these lines above, since they are the default
values. In addition, unless you're planning to use client-certificate
authentication, you don't really need to configure the trust store on
the server side.
> Server server = component.getServers().add(Protocol.HTTPS, 8283);
> Series<Parameter> parameters = server.getContext().getParameters();
> /* Requis pour l'HTTPS */
> parameters.add("sslContextFactory","org.restlet.ext.ssl.PkixSslContextFactory");
Unless you're planning to use client-certificate authentication, the
DefaultSslContextFactory should be sufficient:
parameters.add("sslContextFactory","org.restlet.util.DefaultSslContextFactory");
(or "com.noelios.restlet...." with Restlet 1.x).
> parameters.add("keystorePath", "/home/laurent/Bureau/serverX.jks");
> parameters.add("keystorePassword", "password");
> parameters.add("keyPassword", "password");
> parameters.add("keystoreType", "JKS");
>
> *********************************************************************************
On the client side, I suspect you might have found a bug in
org.restlet.engine.http.StreamClientHelper. It seems to be expecting a
keystore file in ~/.keystore by default, which you probably don't need
anyway (unless using client-cert auth).
If you have such a file, I'd try to move it out of the way to see if it
makes a difference (although I'd expect that not finding the file would
make the StreamClientHelper throw a FileNotFoundException).
Alternatively, I'd use another connector than the StreamClientHelper if
you can: do you have either org.restlet.ext.net or
org.restlet.ext.httpclient (with their dependencies) on your classpath?
Best wishes,
Bruno.
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2386072
