Tim, You may want to completely override the default server certificate validation logic and provide your custom implementation.
Feel free to take AuthSSLProtocolSocketFactory.java and AuthSSLX509TrustManager.java classes below as a starting point http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/contrib/org/apache/commons/httpclient/contrib/ssl/?only_with_tag=HTTPCLIENT_2_0_BRANCH Basically all it takes is to tweak AuthSSLX509TrustManager#isServerTrusted method and instead of delegating the control to the default trust manager implement the certificate chain validation that suits you best public boolean isServerTrusted(X509Certificate[] certificates) { ... return this.defaultTrustManager.isServerTrusted(certificates); } HTH Oleg -----Original Message----- From: Tim Wild [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 15, 2004 7:29 To: Commons HttpClient Project Subject: Re: Invalid RSA modulus size Thanks Michael. I have the CA cert and the chained CA certs in my <java_home>/jre/lib/security/cacerts file. That CA issued the server cert too. It all works fine when I use Mozilla. I'm pretty sure it's a problem with certificate chaining, as when I use my own test CA, which doesn't have an intermediate CA. I use a custom socket factory that works perfectly with my own test CA too, which I must get around to posting some time, once I work out the IP issues. Any more thoughts or suggestions? Thanks Tim ----- Original Message ----- From: Michael Becke <[EMAIL PROTECTED]> Date: Tuesday, June 15, 2004 2:58 pm Subject: Re: Invalid RSA modulus size > Hi Tim, > > This generally means the the server's cert is signed by an > untrusted > CA. You can get around this in a couple of ways. > > - import the servers cert into the keystore you are using > - implement a SSL socket factory that is not so picky about who > signed > the cert. This is not recommended for production use but can be > useful > for testing. Take a look at the EasySSLProtocolSocketFactory > described > in <" > target="l">http://jakarta.apache.org/commons/httpclient/sslguide.html> for an > example. > - Sign your server cert with a CA that is trusted by JSSE. > Please > take a look at the JSSE docs for info about which CAs are trusted. > > Mike > > On Jun 14, 2004, at 10:19 PM, Tim Wild wrote: > > > Thanks for that Oleg. Using JDK 1.5.0b2 does indeed get past the > > "invalid modulus size" error. I've got another error message > now: > > "javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: No trusted > certificate > > found". > > > > My apache server has a certificate from a certification > authority > > called Digital Identity, in New Zealand. They have a root > certificate > > authority, then two sub-CAs (perhaps called chained CAs). My > server > > certificate and client certificate are chained under one of > these > > sub-CAs. When I use Mozilla it all works perfectly, it requests > the > > certificate, the browser presents it, and I can see the page I > > requested. > > > > When I try the same thing using Java I get the error message > above. I > > have a keystore with just my client certiciate in it (nothing > else), > > the same client certificate that works in Mozilla. I know it's > finding > > the certificate because i'm having Java print out the alias of > the > > certificate it's using. The CA certs are in the cacerts file of > the > > JDK1.5 i'm using. > > > > Does anyone have any idea why i'm getting this error? Any > thoughts or > > ideas about how to go forward or things to investigate would be > > welcome. > > > > Thanks > > > > Tim > > > > Oleg Kalnichevski wrote: > > > >> Tim, > >> > >> This is believed to be a limitation of all Sun's JCE/JSSE > >> implementations up to Java version 1.5. You can try testing your > >> application with Java 1.5-b2 to see if the problem has indeed been > >> fixed. Alternatively consider using IBM Java 1.4 or 3rd party > JCE/JSSE>> implementations which _may_ not exhibit the same limitation > >> > >> HTH > >> > >> Oleg > >> > >> On Sat, 2004-06-12 at 05:36, Tim Wild wrote: > >> > >>> Hi, > >>> > >>> I'm using HttpClient to connect to an apache server that > requires > >>> certificates. When I use client and server certificates from > my own > >>> CA with 1024 bit keys it works perfectly. When I get a > commercial > >>> certificate with a longer key (4096 bits), I get the following > error > >>> (full message below) when I connect to apache: > >>> > >>> javax.net.ssl.SSLProtocolException: java.io.IOException: > subject > >>> key, Unknown key spec: Invalid RSA modulus size. > >>> > >>> Google produced one result, which talked about a maximum key > size > >>> using the JCE of 2048 bits using the JDK 1.4.2 default policy > files. > >>> Another site suggested getting the unrestricted policy files, > so I > >>> got and installed them, but it doesn't seem to make any > difference > >>> at all. > >>> > >>> Does anyone have any thought or suggestions? Half formed > thoughs or > >>> ideas are welcome as it might give me a lead that I can follow > >>> myself. > >>> > >>> Thanks > >>> > >>> Tim Wild > >>> > >>> --------------------------------------------------------------- > ------ > >>> To unsubscribe, e-mail: > >>> [EMAIL PROTECTED] > >>> For additional commands, e-mail: > >>> [EMAIL PROTECTED] > >>> > >>> > >> > >> > >> ---------------------------------------------------------------- > ----- > >> To unsubscribe, e-mail: > >> [EMAIL PROTECTED] > >> For additional commands, e-mail: > >> [EMAIL PROTECTED] > >> > >> > > > > ----------------------------------------------------------------- > ---- > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > > ------------------------------------------------------------------- > -- > To unsubscribe, e-mail: commons-httpclient-dev- > [EMAIL PROTECTED] additional commands, e-mail: > [EMAIL PROTECTED] > > Attention: The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies. Thank You. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] *************************************************************************************************** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. *************************************************************************************************** --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
