Mailing-List: contact commons-httpclient-dev-help@jakarta.apache.org;
 run by ezmlm
Precedence: bulk
Reply-To: "Commons HttpClient Project"
 <commons-httpclient-dev@jakarta.apache.org>
In-Reply-To: <2b76d2cec2.2cec22b76d@solnet.co.nz>
To: "Commons HttpClient Project" <commons-httpclient-dev@jakarta.apache.org>
MIME-Version: 1.0
Subject: Re: Invalid RSA modulus size
From: Roland Weber <ROLWEBER@de.ibm.com>
Message-ID: 
 <OFD013CE9B.E1A10824-ONC1256EBA.001EC467-C1256EBA.001F29E1@de.ibm.com>
Date: Mon, 21 Jun 2004 07:39:10 +0200
Content-Type: multipart/alternative;
 boundary="=_alternative 001F2781C1256EBA_="

--=_alternative 001F2781C1256EBA_=
Content-Type: text/plain; charset="US-ASCII"

Hello Tim,

not quite. If you read carefully, that paragraph addresses
"import restrictions", not "export restrictions". It does not
say that the 1.4.2 code does not have crypto limitations as
a result of the US export regulations. "No restrictions" in
the policy files means "full strength" of the implementation.
If the implementation is crippled, that won't help you.

cheers,
  Roland


Tim Wild <tim.wild@solnetsolutions.co.nz> 
21.06.2004 07:23
Please respond to
"Commons HttpClient Project"


To
Commons HttpClient Project <commons-httpclient-dev@jakarta.apache.org>
cc

Subject
Re: Invalid RSA modulus size


Thanks Roland,

I just re-read the documentation that comes with the Unlimited Strength
Jurisdiction Policy Files, and it indicates that they do enable full
strength crpytography based on the configuration file. I've included the
applicable paragraph below.

Does anyone else have thoughts on this? It works fine in JDK 1.5 but not
1.4, which would indicate to me that it's a bug rather than it being
disabled. The exception i'm getting in JDK 1.4.2 is 

javax.net.ssl.SSLProtocolException: java.io.IOException: subject key,
Unknown key spec: Invalid RSA modulus size

Thanks

Tim

---
The JCE architecture allows flexible cryptographic strength
to be configured via jurisdiction policy files. Due to the
import restrictions of some countries, the jurisdiction policy files 
distributed with the J2SDK, v 1.4.2 software have built-in 
restrictions on available cryptographic strength. The jurisdiction 
policy files in this download bundle (the bundle including this 
README file) contain no restrictions on cryptographic strengths. 
This is appropriate for most countries. Framework vendors can 
create download bundles that include jurisdiction policy files 
that specify cryptographic restrictions appropriate for countries 
whose governments mandate restrictions. Users in those countries 
can download an appropriate bundle, and the JCE framework will 
enforce the specified restrictions.
---


----- Original Message -----
From: Roland Weber <ROLWEBER@de.ibm.com>
Date: Monday, June 21, 2004 5:06 pm
Subject: Re: Invalid RSA modulus size

> Hello Tim,
> 
> from what I know about the export regulations, shipping
> working crypto code that is just disabled through some
> configuration file is not acceptable. You will have to
> obtain a full-strength JCE/JSSE implementation. Either
> a US-only version of the JDK, or a non-US implementation
> of the library which is not subject to US or other export
> restrictions on cryptography.
> 
> cheers,
>  Roland
> 
> 
> 
> 
> Tim Wild <tim.wild@solnetsolutions.co.nz> 
> 21.06.2004 05:19
> Please respond to
> "Commons HttpClient Project"
> 
> 
> To
> Commons HttpClient Project <commons-httpclient-dev@jakarta.apache.org>
> cc
> 
> Subject
> Re: Invalid RSA modulus size
> 
> 
> 
> 
> 
> 
> Does anyone know if the Unlimited Strength Jurisdiction Policy 
> Files are 
> meant to solve this problem, or is it actually a bug with the 
> JDK1.4? 
> The policy files don't help me at all on the JDK1.4.
> 
> Thanks
> 
> Tim
> 
> Oleg Kalnichevski wrote:
> 
> >Tim,
> >
> >This is believed to be a limitation of all Sun's JCE/JSSE
> >implementations up to Java version 1.5. You can try testing your
> >application with Java 1.5-b2 to see if the problem has indeed been
> >fixed. Alternatively consider using IBM Java 1.4 or 3rd party 
> JCE/JSSE>implementations which _may_ not exhibit the same limitation
> >
> >HTH
> >
> >Oleg
> >
> >On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
> > 
> >
> >>Hi,
> >>
> >>I'm using HttpClient to connect to an apache server that 
> requires 
> >>certificates. When I use client and server certificates from my 
> own CA 
> >>with 1024 bit keys it works perfectly. When I get a commercial 
> >>certificate with a longer key (4096 bits), I get the following 
> error 
> >>(full message below) when I connect to apache:
> >>
> >>javax.net.ssl.SSLProtocolException: java.io.IOException: subject 
> key, 
> >>Unknown key spec: Invalid RSA modulus size.
> >>
> >>Google produced one result, which talked about a maximum key 
> size using 
> >>the JCE of 2048 bits using the JDK 1.4.2 default policy files. 
> Another 
> >>site suggested getting the unrestricted policy files, so I got 
> and 
> >>installed them, but it doesn't seem to make any difference at all.
> >>
> >>Does anyone have any thought or suggestions? Half formed thoughs 
> or 
> >>ideas are welcome as it might give me a lead that I can follow 
> myself.>>
> >>Thanks
> >>
> >>Tim Wild
> >>
> >>-----------------------------------------------------------------
> ----
> >>To unsubscribe, e-mail: 
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: 
> commons-httpclient-dev-help@jakarta.apache.org
> >>
> >> 
> >>
> >
> >
> >------------------------------------------------------------------
> ---
> >To unsubscribe, e-mail: 
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: 
> commons-httpclient-dev-help@jakarta.apache.org
> >
> > 
> >
> 
> -------------------------------------------------------------------
> --
> To unsubscribe, e-mail: 
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: 
> commons-httpclient-dev-help@jakarta.apache.org
> 
> 
> 


Attention:
The information contained in this message and or attachments is 
intended only for the person or entity to which it is addressed 
and may contain confidential and/or privileged material.  Any 
review, retransmission, dissemination or other use of, or taking 
of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited. If you 
received this in error, please contact the sender and delete the 
material from any system and destroy any copies.

Thank You. 

---------------------------------------------------------------------
To unsubscribe, e-mail: 
commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: 
commons-httpclient-dev-help@jakarta.apache.org


--=_alternative 001F2781C1256EBA_=--