Thank you. Yes, I did look at that. However it works fine when I use the server.jks file on the client side and client.jks file configured using java system properties with IBM JDK 7. Same certificates works fine with IBK JDK 7 in WebSphere, WebLogic, and JBoSS. My understanding is that it should not work in any other alternate configuration, if there is a problem with certificate itself right? Thanks,Venkat
> Date: Fri, 18 Oct 2013 16:53:54 +0200 > From: [email protected] > To: [email protected] > Subject: Re: SSL handshake exception on IBM AIX 6.1 with IBM JDK 7 > > Are you familiar with > http://www-01.ibm.com/support/docview.wss?uid=swg21496789 ? > > Cheers, > > On 18.10.2013 14:34, NALLA, VENKAT wrote: > > Hi, > > I am testing CXF 2.7.6 on AIX 6.1 with IBM J9 JDK 7 JVM. The client and > > server are on two different machines of same kind in both the cases IBM JVM > > (same version) are used. Both the servers have trustore/keystores based on > > VeriSign signed certificates for the respective machines. > > Server Side SSL Configuration: > > > > <httpj:engine-factory bus="cxf"> > > > > <httpj:engine port="7643"> > > > > <httpj:tlsServerParameters secureSocketProtocol="SSL"> > > > > <csec:trustManagers> > > > > <csec:keyStore type="JKS" password="..." file="server.jks"/> > > > > </csec:trustManagers> > > > > <csec:keyManagers keyPassword="..."> > > > > <csec:keyStore type="JKS" password="..." file="server.jks"/> > > > > </csec:keyManagers> > > > > <csec:clientAuthentication want="false" required="false"/> > > > > </httpj:tlsServerParameters> > > > > </httpj:engine> > > > > </httpj:engine-factory> > > Client Side SSL Configuration: > > <http:conduit name="*.http-conduit"> > > > > <http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="SSL"> > > > > <sec:trustManagers> > > > > <sec:keyStore type="JKS" password="..." file="client.jks"/> > > > > </sec:trustManagers> > > > > </http:tlsClientParameters> > > > > </http:conduit> > > I am getting the following error: > > [java] Caused by: javax.net.ssl.SSLHandshakeException: > > com.ibm.jsse2.util.h: Violated path length constraints[java] at > > com.ibm.jsse2.j.a(j.java:39) [java] at com.ibm.jsse2.qc.a(qc.java:337) > > [java] at com.ibm.jsse2.ab.a(ab.java:225) [java] at > > com.ibm.jsse2.ab.a(ab.java:162) [java] at com.ibm.jsse2.bb.a(bb.java:352) > > [java] at com.ibm.jsse2.bb.a(bb.java:13) [java] at > > com.ibm.jsse2.ab.r(ab.java:75) [java] at com.ibm.jsse2.ab.a(ab.java:532) > > [java] at com.ibm.jsse2.qc.a(qc.java:158) [java] at > > com.ibm.jsse2.qc.h(qc.java:272) [java] at com.ibm.jsse2.qc.a(qc.java:234) > > [java] at com.ibm.jsse2.qc.startHandshake(qc.java:8) [java] at > > com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:111) [java] at > > com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:18) [java] at > > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1099) > > [java] at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:11) > > [java] at org.apache.cxf.transport.http.URLConnectionHTTPCondu > it$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168)[java] > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1278)[java] > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1234) > [java]at > org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195)[java] > at > org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) > [java] at > org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) > [java] at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1291) > [java] ... 16 more [java] Caused by: com.ibm.jsse2.util.h: Violated path > length constraints > > > > It works fine: > > 1) with IBM JDK 6 using spring configuration files shown above as well as > > Oracle/Sun JDK 7 on windows 7 desktop. > > 2) When server.jks file is used on the client side configuration with IBM > > JDK 7. > > 3) Works fine when the truststore is configured via system properties of > > java client process using JDK 7: > > java -Dcxf.config.file=client.xml -Djavax.net.debug=all > > -Djavax.net.ssl.trustStore=client.jks > > -Djavax.net.ssl.trustStorePassword=... -Dhttps.protocols=SSLv3 > > com.mycomany.Client > > configuration file is without any SSL configuration as shown below > > (client.xml): > > > > <http:conduit name="*.http-conduit"> > > </http:conduit> > > > > Thanks, > > Venkat > > > > > -- > Marcel Stör, http://frightanic.com > Couchsurfing: http://www.couchsurfing.com/people/marcelstoer > O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
