Thanks for your response! I have checked Mozilla SSL library (JSS) and it seems support the cipher I am interesting ''TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA''. However, it requires NSS component which need to generate a security database. And this may make my application too complicated and inflexible.
What I need is a SSL library with a provider support the cipher 'TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA'. It will be a great help if you can give me some guidance or information on this. Thanks again for your time. Xiaofeng -----Original Message----- From: Julius Davies [mailto:[EMAIL PROTECTED] Sent: Sunday, November 26, 2006 9:29 PM To: HttpClient User Discussion Subject: Re: commons-ssl-0.3.4 released Hi, Xiaofeng, Sorry. Commons-SSL doesn't actually implement SSL. That's left to the underlying JSSE provider. Commons-SSL sits on top of the provider and tries to make common tasks easier. I like to think of this library as a "HARD-to-EASY" adapter. It takes something that's hard - for example, turning off certificate expiry checking requires about a hundred lines of code - and makes it easy: socketFactory.setCheckExpiry( false ); Regarding your question, looks like Sun Java 6 supports the following ciphers: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA You may have some luck with Mozilla's "JSS" library: http://www.mozilla.org/projects/security/pki/jss/ But it looks pretty daunting to me! yours, Julius http://juliusdavies.ca/ ps. here's the 100 lines (okay, more like 70 lines): String javaHome = System.getProperty( "java.home" ); String pathToCacerts = javaHome + "/lib/security/cacerts"; FileInputStream in = new FileInputStream( pathToCacerts ); KeyStore ks = KeyStore.getInstance( "jks" ); ks.load( in, null ); String alg = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance( alg ); tmf.init( ks ); TrustManager[] trustManagers = tmf.getTrustManagers(); for ( int i = 0; i < trustManagers.length; i++ ) { final X509TrustManager tm = (X509TrustManager) trustManagers[ i ]; trustManagers[ i ] = new TrustManager() { public void checkClientTrusted( X509Certificate[] chain, String authType ) throws CertificateException { // we're only turning of expiry checking for server certs in this example. tm.checkClientTrusted( chain, authType ); } public void checkServerTrusted( X509Certificate[] chain, String authType ) throws CertificateException { CertificateException ce = null; try { tm.checkServerTrusted( chain, authType ); } catch ( CertificateException e ) { ce = e; } if ( ce != null ) { Throwable root = getRootThrowable( checkException ); boolean expiryProblem = root instanceof CertificateExpiredException; if ( expiryProblem ) { // not a problem - we've turned expiry checking off! } else { throw checkException; } } } private Throwable getRootThrowable( Throwable t ) { if ( t == null ) { return t; } Throwable cause = t.getCause(); while ( cause != null && !t.equals( cause ) ) { t = cause; cause = t.getCause(); } return t; } }; } SSLContext sslContext = SSLContext.getInstance( "TLS" ); sslContext.init( null, trustManagers, null ); // Finally! A SocketFactory that doesn't check expiry of the server's cert. // (It does check everything else). (Except CRLs). ;-) SSLSocketFactory socketFactory = sslContext.getSocketFactory(); On 11/26/06, Xiaofeng Li <[EMAIL PROTECTED]> wrote: > Does this SSL supports the cipher > 'TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA'? > > Thanks > > -----Original Message----- > From: Julius Davies [mailto:[EMAIL PROTECTED] > Sent: Saturday, November 25, 2006 7:13 PM > To: [email protected]; HttpClient User Discussion > Subject: commons-ssl-0.3.4 released > > > Hi, > > I've just released commons-ssl-0.3.4. > > http://juliusdavies.ca/commons-ssl/ > > > Three changes since 0.3.3: > > #1. > ================================== > ssl.setCheckExpiry( false ) now works! > ssl.setCheckExpiry( true ) now has an effect with Java 1.3. (Java > 1.4, 5, 6 all properly checked certificate expiry anyway, but it looks > like 1.3 forgot to.) > > #2. > ================================== > The "CRL pass/fail SHA1 fingerprint cache" only discards the > certificates which PASSED the check every 24 hours now. Certificates > which failed the check will keep their 20 byte SHA1 fingerprint in the > cache forever (or until the next JVM restart). > > > #3. > ================================== > Looks like TrustMaterial.TRUST_ALL stopped working recently on Java 5 > and 6. Fixed. > > > Aside from these three code changes, I also updated the documentation. > The "downloads" page includes a "Roadmap". The "main" page thanks > Oleg for his original AuthSSLProtocolSocketFactory.java on which this > is all based. > > > > -- > yours, > > Julius Davies > 416-652-0183 > http://juliusdavies.ca/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > -- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
