Resolved by rev. 1458901
On 20 March 2013 13:24, Ken Giusti <kgiu...@redhat.com> wrote: > > This failure is due to my updates to the SSL certificates and keys used by > the SSL unit tests. > > Specifically: > > IllegalStateException: java.lang.IllegalStateException: Unable to read PEM > object from file > /home/jenkins/jenkins-slave/workspace/Qpid-proton-j/trunk/tests/target/classes/proton_tests/ssl_db/server-private-key.pem > proton_tests.ssl.SslTest.test_client_server_authentication ..............Mar > 20, 2013 1:48:59 AM > org.apache.qpid.proton.engine.impl.ssl.SslEngineFacadeFactory readPemObject > SEVERE: Unable to read PEM object. Perhaps you need the unlimited strength > libraries in <java-home>/jre/lib/security/ ? > org.bouncycastle.openssl.PEMException: problem parsing ENCRYPTED PRIVATE KEY: > java.security.InvalidKeyException: Illegal key size > > > I've hit this problem before, and have yet to be able to solve it (on my > machine, at least). > > The problem is due to the export restrictions on encryption. I suspect the > default java configuration for some machines - certainly OSX - does not allow > for exportable key lengths. On such systems, the proton SSL test will fail > as the environment cannot handle the key lengths used in the checked in > certificates. > > So why not check in certificates with short keys? That'll fix the problem. > But I can't - the Fedora packages do not support creating certs with short > key lengths, for security reasons. Therefore I cannot generate universally > usable certs in my environment. > > This is a call for help - is there anyone out there who is seeing the same > SSL test failures using the latest trunk? If so, can you regenerate the test > certificates on your system? There's a script attached to the end of the > README.txt file in qpid-proton/tests/python/proton_tests/ssl_db - simply run > that in the ssl_db directory to regenerate the certs. Rerun the SSL tests - > they should pass. If they do, send me the diff and I'll check it in. > > Alternatively, if anyone can figure out how to install weak keysigning > algorithms on a Fedora box - I'm all ears. > > > FYI: In order to support the larger key lengths, the following policy files > need to be installed: > http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html > > > ----- Forwarded Message ----- >> From: "Apache Jenkins Server" <jenk...@builds.apache.org> >> To: notificati...@qpid.apache.org >> Sent: Tuesday, March 19, 2013 9:49:01 PM >> Subject: Jenkins build is still unstable: Qpid-proton-j » tests #295 >> >> See >> <https://builds.apache.org/job/Qpid-proton-j/org.apache.qpid$tests/changes> >> >> > > -- > -K