hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland Weber <ROLWE...@de.ibm.com>
Subject Re: Invalid RSA modulus size
Date Tue, 15 Jun 2004 11:13:35 GMT
Hello Tim,

if you have a custom socket factory, maybe it does
not use the default certificate store in .../cacerts.
Can you explicitly load a certificate store?

just a thought,
  Roland





Tim Wild <tim.wild@solnetsolutions.co.nz> 
15.06.2004 07:28
Please respond to
"Commons HttpClient Project"


To
Commons HttpClient Project <commons-httpclient-dev@jakarta.apache.org>
cc

Subject
Re: Invalid RSA modulus size






Thanks Michael. I have the CA cert and the chained CA certs in my
<java_home>/jre/lib/security/cacerts file. That CA issued the server
cert too. It all works fine when I use Mozilla.

I'm pretty sure it's a problem with certificate chaining, as when I use
my own test CA, which doesn't have an intermediate CA.

I use a custom socket factory that works perfectly with my own test CA
too, which I must get around to posting some time, once I work out the
IP issues.

Any more thoughts or suggestions?

Thanks

Tim

----- Original Message -----
From: Michael Becke <becke@u.washington.edu>
Date: Tuesday, June 15, 2004 2:58 pm
Subject: Re: Invalid RSA modulus size

> Hi Tim,
> 
> This generally means the the server's cert is signed by an 
> untrusted 
> CA.  You can get around this in a couple of ways.
> 
>  - import the servers cert into the keystore you are using
>  - implement a SSL socket factory that is not so picky about who 
> signed 
> the cert.  This is not recommended for production use but can be 
> useful 
> for testing.  Take a look at the EasySSLProtocolSocketFactory 
> described 
> in <" 
> target="l">http://jakarta.apache.org/commons/httpclient/sslguide.html>
for an 
> example.
>  - Sign your server cert with a CA that is trusted by JSSE. 
> Please 
> take a look at the JSSE docs for info about which CAs are trusted.
> 
> Mike
> 
> On Jun 14, 2004, at 10:19 PM, Tim Wild wrote:
> 
> > Thanks for that Oleg. Using JDK 1.5.0b2 does indeed get past the 
> > "invalid modulus size" error. I've got another error message 
> now: 
> > "javax.net.ssl.SSLHandshakeException: 
> > sun.security.validator.ValidatorException: No trusted 
> certificate 
> > found".
> >
> > My apache server has a certificate from a certification 
> authority 
> > called Digital Identity, in New Zealand. They have a root 
> certificate 
> > authority, then two sub-CAs (perhaps called chained CAs). My 
> server 
> > certificate and client certificate are chained under one of 
> these 
> > sub-CAs. When I use Mozilla it all works perfectly, it requests 
> the 
> > certificate, the browser presents it, and I can see the page I 
> > requested.
> >
> > When I try the same thing using Java I get the error message 
> above. I 
> > have a keystore with just my client certiciate in it (nothing 
> else), 
> > the same client certificate that works in Mozilla. I know it's 
> finding 
> > the certificate because i'm having Java print out the alias of 
> the 
> > certificate it's using. The CA certs are in the cacerts file of 
> the 
> > JDK1.5 i'm using.
> >
> > Does anyone have any idea why i'm getting this error? Any 
> thoughts or 
> > ideas about how to go forward or things to investigate would be 
> > welcome.
> >
> > Thanks
> >
> > Tim
> >
> > Oleg Kalnichevski wrote:
> >
> >> Tim,
> >>
> >> This is believed to be a limitation of all Sun's JCE/JSSE
> >> implementations up to Java version 1.5. You can try testing your
> >> application with Java 1.5-b2 to see if the problem has indeed been
> >> fixed. Alternatively consider using IBM Java 1.4 or 3rd party 
> JCE/JSSE>> implementations which _may_ not exhibit the same limitation
> >>
> >> HTH
> >>
> >> Oleg
> >>
> >> On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
> >>
> >>> Hi,
> >>>
> >>> I'm using HttpClient to connect to an apache server that 
> requires 
> >>> certificates. When I use client and server certificates from 
> my own 
> >>> CA with 1024 bit keys it works perfectly. When I get a 
> commercial 
> >>> certificate with a longer key (4096 bits), I get the following 
> error 
> >>> (full message below) when I connect to apache:
> >>>
> >>> javax.net.ssl.SSLProtocolException: java.io.IOException: 
> subject 
> >>> key, Unknown key spec: Invalid RSA modulus size.
> >>>
> >>> Google produced one result, which talked about a maximum key 
> size 
> >>> using the JCE of 2048 bits using the JDK 1.4.2 default policy 
> files. 
> >>> Another site suggested getting the unrestricted policy files, 
> so I 
> >>> got and installed them, but it doesn't seem to make any 
> difference 
> >>> at all.
> >>>
> >>> Does anyone have any thought or suggestions? Half formed 
> thoughs or 
> >>> ideas are welcome as it might give me a lead that I can follow 
> >>> myself.
> >>>
> >>> Thanks
> >>>
> >>> Tim Wild
> >>>
> >>> ---------------------------------------------------------------
> ------
> >>> To unsubscribe, e-mail: 
> >>> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >>> For additional commands, e-mail: 
> >>> commons-httpclient-dev-help@jakarta.apache.org
> >>>
> >>>
> >>
> >>
> >> ----------------------------------------------------------------
> -----
> >> To unsubscribe, e-mail: 
> >> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >> For additional commands, e-mail: 
> >> commons-httpclient-dev-help@jakarta.apache.org
> >>
> >>
> >
> > -----------------------------------------------------------------
> ----
> > To unsubscribe, e-mail: 
> > commons-httpclient-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: 
> > commons-httpclient-dev-help@jakarta.apache.org
> >
> 
> 
> -------------------------------------------------------------------
> --
> To unsubscribe, e-mail: commons-httpclient-dev-
> unsubscribe@jakarta.apache.orgFor additional commands, e-mail: 
> commons-httpclient-dev-help@jakarta.apache.org
> 
> 


Attention:
The information contained in this message and or attachments is 
intended only for the person or entity to which it is addressed 
and may contain confidential and/or privileged material.  Any 
review, retransmission, dissemination or other use of, or taking 
of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited. If you 
received this in error, please contact the sender and delete the 
material from any system and destroy any copies.

Thank You. 

---------------------------------------------------------------------
To unsubscribe, e-mail: 
commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: 
commons-httpclient-dev-help@jakarta.apache.org



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message