hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Becke <be...@u.washington.edu>
Subject Re: Invalid RSA modulus size
Date Tue, 15 Jun 2004 02:58:32 GMT
Hi Tim,

This generally means the the server's cert is signed by an untrusted 
CA.  You can get around this in a couple of ways.

  - import the servers cert into the keystore you are using
  - implement a SSL socket factory that is not so picky about who signed 
the cert.  This is not recommended for production use but can be useful 
for testing.  Take a look at the EasySSLProtocolSocketFactory described 
in <http://jakarta.apache.org/commons/httpclient/sslguide.html> for an 
example.
  - Sign your server cert with a CA that is trusted by JSSE.  Please 
take a look at the JSSE docs for info about which CAs are trusted.

Mike

On Jun 14, 2004, at 10:19 PM, Tim Wild wrote:

> Thanks for that Oleg. Using JDK 1.5.0b2 does indeed get past the 
> "invalid modulus size" error. I've got another error message now: 
> "javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: No trusted certificate 
> found".
>
> My apache server has a certificate from a certification authority 
> called Digital Identity, in New Zealand. They have a root certificate 
> authority, then two sub-CAs (perhaps called chained CAs). My server 
> certificate and client certificate are chained under one of these 
> sub-CAs. When I use Mozilla it all works perfectly, it requests the 
> certificate, the browser presents it, and I can see the page I 
> requested.
>
> When I try the same thing using Java I get the error message above. I 
> have a keystore with just my client certiciate in it (nothing else), 
> the same client certificate that works in Mozilla. I know it's finding 
> the certificate because i'm having Java print out the alias of the 
> certificate it's using. The CA certs are in the cacerts file of the 
> JDK1.5 i'm using.
>
> Does anyone have any idea why i'm getting this error? Any thoughts or 
> ideas about how to go forward or things to investigate would be 
> welcome.
>
> Thanks
>
> Tim
>
> Oleg Kalnichevski wrote:
>
>> Tim,
>>
>> This is believed to be a limitation of all Sun's JCE/JSSE
>> implementations up to Java version 1.5. You can try testing your
>> application with Java 1.5-b2 to see if the problem has indeed been
>> fixed. Alternatively consider using IBM Java 1.4 or 3rd party JCE/JSSE
>> implementations which _may_ not exhibit the same limitation
>>
>> HTH
>>
>> Oleg
>>
>> On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
>>
>>> Hi,
>>>
>>> I'm using HttpClient to connect to an apache server that requires 
>>> certificates. When I use client and server certificates from my own 
>>> CA with 1024 bit keys it works perfectly. When I get a commercial 
>>> certificate with a longer key (4096 bits), I get the following error 
>>> (full message below) when I connect to apache:
>>>
>>> javax.net.ssl.SSLProtocolException: java.io.IOException: subject 
>>> key, Unknown key spec: Invalid RSA modulus size.
>>>
>>> Google produced one result, which talked about a maximum key size 
>>> using the JCE of 2048 bits using the JDK 1.4.2 default policy files. 
>>> Another site suggested getting the unrestricted policy files, so I 
>>> got and installed them, but it doesn't seem to make any difference 
>>> at all.
>>>
>>> Does anyone have any thought or suggestions? Half formed thoughs or 
>>> ideas are welcome as it might give me a lead that I can follow 
>>> myself.
>>>
>>> Thanks
>>>
>>> Tim Wild
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: 
>>> commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: 
>>> commons-httpclient-dev-help@jakarta.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: 
>> commons-httpclient-dev-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: 
>> commons-httpclient-dev-help@jakarta.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: 
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: 
> commons-httpclient-dev-help@jakarta.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message