hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Johnson <e...@tibco.com>
Subject Re: Invalid RSA modulus size
Date Tue, 15 Jun 2004 16:11:05 GMT
Tim,

Make sure you imported the CA certificate with the -trustcacerts option. 
If you do everything else correctly, and leave out this step, you'll see 
the problem you reported. I've tripped over that mistake once or twice. 
That's just a shot-in-the-dark as to what might be your problem, though.

-Eric.

Tim Wild wrote:

>Thanks Michael. I have the CA cert and the chained CA certs in my
><java_home>/jre/lib/security/cacerts file. That CA issued the server
>cert too. It all works fine when I use Mozilla.
>
>I'm pretty sure it's a problem with certificate chaining, as when I use
>my own test CA, which doesn't have an intermediate CA.
>
>I use a custom socket factory that works perfectly with my own test CA
>too, which I must get around to posting some time, once I work out the
>IP issues.
>
>Any more thoughts or suggestions?
>
>Thanks
>
>Tim
>
>----- Original Message -----
>From: Michael Becke <becke@u.washington.edu>
>Date: Tuesday, June 15, 2004 2:58 pm
>Subject: Re: Invalid RSA modulus size
>
>  
>
>>Hi Tim,
>>
>>This generally means the the server's cert is signed by an 
>>untrusted 
>>CA.  You can get around this in a couple of ways.
>>
>> - import the servers cert into the keystore you are using
>> - implement a SSL socket factory that is not so picky about who 
>>signed 
>>the cert.  This is not recommended for production use but can be 
>>useful 
>>for testing.  Take a look at the EasySSLProtocolSocketFactory 
>>described 
>>in <" 
>>target="l">http://jakarta.apache.org/commons/httpclient/sslguide.html>
>>    
>>
>for an 
>  
>
>>example.
>> - Sign your server cert with a CA that is trusted by JSSE.  
>>Please 
>>take a look at the JSSE docs for info about which CAs are trusted.
>>
>>Mike
>>
>>On Jun 14, 2004, at 10:19 PM, Tim Wild wrote:
>>
>>    
>>
>>>Thanks for that Oleg. Using JDK 1.5.0b2 does indeed get past the 
>>>"invalid modulus size" error. I've got another error message 
>>>      
>>>
>>now: 
>>    
>>
>>>"javax.net.ssl.SSLHandshakeException: 
>>>sun.security.validator.ValidatorException: No trusted 
>>>      
>>>
>>certificate 
>>    
>>
>>>found".
>>>
>>>My apache server has a certificate from a certification 
>>>      
>>>
>>authority 
>>    
>>
>>>called Digital Identity, in New Zealand. They have a root 
>>>      
>>>
>>certificate 
>>    
>>
>>>authority, then two sub-CAs (perhaps called chained CAs). My 
>>>      
>>>
>>server 
>>    
>>
>>>certificate and client certificate are chained under one of 
>>>      
>>>
>>these 
>>    
>>
>>>sub-CAs. When I use Mozilla it all works perfectly, it requests 
>>>      
>>>
>>the 
>>    
>>
>>>certificate, the browser presents it, and I can see the page I 
>>>requested.
>>>
>>>When I try the same thing using Java I get the error message 
>>>      
>>>
>>above. I 
>>    
>>
>>>have a keystore with just my client certiciate in it (nothing 
>>>      
>>>
>>else), 
>>    
>>
>>>the same client certificate that works in Mozilla. I know it's 
>>>      
>>>
>>finding 
>>    
>>
>>>the certificate because i'm having Java print out the alias of 
>>>      
>>>
>>the 
>>    
>>
>>>certificate it's using. The CA certs are in the cacerts file of 
>>>      
>>>
>>the 
>>    
>>
>>>JDK1.5 i'm using.
>>>
>>>Does anyone have any idea why i'm getting this error? Any 
>>>      
>>>
>>thoughts or 
>>    
>>
>>>ideas about how to go forward or things to investigate would be 
>>>welcome.
>>>
>>>Thanks
>>>
>>>Tim
>>>
>>>Oleg Kalnichevski wrote:
>>>
>>>      
>>>
>>>>Tim,
>>>>
>>>>This is believed to be a limitation of all Sun's JCE/JSSE
>>>>implementations up to Java version 1.5. You can try testing your
>>>>application with Java 1.5-b2 to see if the problem has indeed been
>>>>fixed. Alternatively consider using IBM Java 1.4 or 3rd party 
>>>>        
>>>>
>>JCE/JSSE>> implementations which _may_ not exhibit the same limitation
>>    
>>
>>>>HTH
>>>>
>>>>Oleg
>>>>
>>>>On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
>>>>
>>>>        
>>>>
>>>>>Hi,
>>>>>
>>>>>I'm using HttpClient to connect to an apache server that 
>>>>>          
>>>>>
>>requires 
>>    
>>
>>>>>certificates. When I use client and server certificates from 
>>>>>          
>>>>>
>>my own 
>>    
>>
>>>>>CA with 1024 bit keys it works perfectly. When I get a 
>>>>>          
>>>>>
>>commercial 
>>    
>>
>>>>>certificate with a longer key (4096 bits), I get the following 
>>>>>          
>>>>>
>>error 
>>    
>>
>>>>>(full message below) when I connect to apache:
>>>>>
>>>>>javax.net.ssl.SSLProtocolException: java.io.IOException: 
>>>>>          
>>>>>
>>subject 
>>    
>>
>>>>>key, Unknown key spec: Invalid RSA modulus size.
>>>>>
>>>>>Google produced one result, which talked about a maximum key 
>>>>>          
>>>>>
>>size 
>>    
>>
>>>>>using the JCE of 2048 bits using the JDK 1.4.2 default policy 
>>>>>          
>>>>>
>>files. 
>>    
>>
>>>>>Another site suggested getting the unrestricted policy files, 
>>>>>          
>>>>>
>>so I 
>>    
>>
>>>>>got and installed them, but it doesn't seem to make any 
>>>>>          
>>>>>
>>difference 
>>    
>>
>>>>>at all.
>>>>>
>>>>>Does anyone have any thought or suggestions? Half formed 
>>>>>          
>>>>>
>>thoughs or 
>>    
>>
>>>>>ideas are welcome as it might give me a lead that I can follow 
>>>>>myself.
>>>>>
>>>>>Thanks
>>>>>
>>>>>Tim Wild
>>>>>
>>>>>---------------------------------------------------------------
>>>>>          
>>>>>
>>------
>>    
>>
>>>>>To unsubscribe, e-mail: 
>>>>>commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>>>>For additional commands, e-mail: 
>>>>>commons-httpclient-dev-help@jakarta.apache.org
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>----------------------------------------------------------------
>>>>        
>>>>
>>-----
>>    
>>
>>>>To unsubscribe, e-mail: 
>>>>commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: 
>>>>commons-httpclient-dev-help@jakarta.apache.org
>>>>
>>>>
>>>>        
>>>>
>>>-----------------------------------------------------------------
>>>      
>>>
>>----
>>    
>>
>>>To unsubscribe, e-mail: 
>>>commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: 
>>>commons-httpclient-dev-help@jakarta.apache.org
>>>
>>>      
>>>
>>-------------------------------------------------------------------
>>--
>>To unsubscribe, e-mail: commons-httpclient-dev-
>>unsubscribe@jakarta.apache.orgFor additional commands, e-mail: 
>>commons-httpclient-dev-help@jakarta.apache.org
>>
>>
>>    
>>
>
>
>Attention:
>The information contained in this message and or attachments is 
>intended only for the person or entity to which it is addressed 
>and may contain confidential and/or privileged material.  Any 
>review, retransmission, dissemination or other use of, or taking 
>of any action in reliance upon, this information by persons or 
>entities other than the intended recipient is prohibited. If you 
>received this in error, please contact the sender and delete the 
>material from any system and destroy any copies.
>
>Thank You. 
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
>
>  
>

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message