Hi Bruno, I've just checked in some enhancements to the StreamClientHelper class to make it more robust regarding presence of key and trust store. Especially, we don't try anymore to init a key store if we don't have the key password which is mandatory.
I've attached the latest version in SVN trunk and my minimal test client. Best regards, Jerome Louvel -- Restlet ~ Founder and Lead developer ~ http://www.restlet.org Noelios Technologies ~ Co-founder ~ http://www.noelios.com -----Message d'origine----- De : news [mailto:[email protected]] De la part de Bruno Harbulot Envoyé : vendredi 21 août 2009 19:26 À : [email protected] Objet : Re: Client HTTPS Invalid keystore format Hi Laurent, Laurent Garrigues wrote: > keytool -genkey -v -alias serverX -dname "CN=serverX,OU=IT,O=JPC,C=GB" -keypass password -keystore serverX.jks -storepass password -keyalg "RSA" -sigalg "MD5withRSA" -keysize 2048 -validity 3650 I'd suggest using SHA1withRSA instead of MD5withRSA, since there have been known exploits against MD5. Just to clarify for the rest of your experiment, since you're testing using localhost, the DN must be something like "CN=localhost,...". > keytool -export -v -alias serverX -file serverX.cer -keystore serverX.jks -storepass password > > sudo keytool -delete -alias serverX -file serverX.cer -keystore "/usr/lib/jvm/java-6-sun/jre/lib/security/cacerts" -storepass "changeit" > > sudo keytool -import -alias serverX -file serverX.cer -keystore "/usr/lib/jvm/java-6-sun/jre/lib/security/cacerts" -storepass "changeit" > ****************************************** > > On my server I have this line for configuring the https : > > > ******************************************************************* > > System.setProperty("javax.net.ssl.trustStore","/usr/lib/jvm/java-6-sun/jre/l ib/security/cacerts"); > System.setProperty("javax.net.ssl.trustStorePassword","changeit"); You don't really need these lines above, since they are the default values. In addition, unless you're planning to use client-certificate authentication, you don't really need to configure the trust store on the server side. > Server server = component.getServers().add(Protocol.HTTPS, 8283); > Series<Parameter> parameters = server.getContext().getParameters(); > /* Requis pour l'HTTPS */ parameters.add("sslContextFactory","org.restlet.ext.ssl.PkixSslContextFactor y"); Unless you're planning to use client-certificate authentication, the DefaultSslContextFactory should be sufficient: parameters.add("sslContextFactory","org.restlet.util.DefaultSslContextFactor y"); (or "com.noelios.restlet...." with Restlet 1.x). > parameters.add("keystorePath", "/home/laurent/Bureau/serverX.jks"); > parameters.add("keystorePassword", "password"); > parameters.add("keyPassword", "password"); > parameters.add("keystoreType", "JKS"); > > **************************************************************************** ***** On the client side, I suspect you might have found a bug in org.restlet.engine.http.StreamClientHelper. It seems to be expecting a keystore file in ~/.keystore by default, which you probably don't need anyway (unless using client-cert auth). If you have such a file, I'd try to move it out of the way to see if it makes a difference (although I'd expect that not finding the file would make the StreamClientHelper throw a FileNotFoundException). Alternatively, I'd use another connector than the StreamClientHelper if you can: do you have either org.restlet.ext.net or org.restlet.ext.httpclient (with their dependencies) on your classpath? Best wishes, Bruno. ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=23860 72 ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2386469
StreamClientHelper.java
Description: Binary data
HttpsClient.java
Description: Binary data
