date:20000819

Re :problem with jsse

2000-08-19 Thread Emmanuel Dreux


IT WORKS, IT WORKS, IT WORKS.

this is the end of a two day nightmare putting in place ssl with jsse.

In my previous email attached here, everthing was fine ... exept that
keytool did not put the info where I wanted :
It put it in .keystore in my home directory :
mv .keystore $JAVA_HOME/lib/security/cacerts
There is an option in keytool to specify it at the command prompt :
-keystore cacerts ( jssecacerts)

keystore -list now matches keytool -list -keystore cacerts.


The second thing is that the file is password protected.
added the following code :
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
System.setProperty("javax.net.debug", "all");
/* System.setProperty("javax.net.ssl.keyStore","/tmp/keystore"); 
keystore is for use with a trus manager */
System.setProperty("javax.net.ssl.trustStorePassword","password");


/*  X509TrustManager tm = new MyX509TrustManager(); 
KeyManager []km = null; 
TrustManager []tma = {tm}; 
SSLContext sc = SSLContext.getInstance("SSL"); 
sc.init(km,tma,new java.security.SecureRandom()); 
//SSLSocketFactory sf1 = sc.getSocketFactory(); 
*/
URL url = new URL(strhost);
URLConnection uc = (URLConnection)url.openConnection();

More info at http://java.sun.com/products/jsse/CHANGES.txt

I've seen this problem posted since September 1999 without answer in the
sun java forums.
I will post here a troubleshooting script containing all the problems
I've been facing.
( problems to insert self trusted root certificates with keytool,
playing with certificate formats, writing servlet code, debugging with
s_client and 
javax.net.debug.).

Thanks to the members of this mailing for this great mailing list.
Manu.
 
 Hi everybody,
 I hope it's the right place to post this question :
 
 It's related to jsse, keytool and openssl : I cannot have a servlet
 which ssl implementation is jsse work against an openssl server ( apache
 + mod_ssl )
 
 I have a servlet ( client )  that opens a ssl connection to another
 servlet ( server )
 
 "ssl" client code :
 java.security.Security.addProvider(new
 com.sun.net.ssl.internal.ssl.Provider());
 System.setProperty("java.protocol.handler.pkgs",
 "com.sun.net.ssl.internal.www.protocol");
 System.setProperty("javax.net.debug", "all");
 URL url = new URL(strhost);
 URLConnection uc = (URLConnection)url.openConnection();
 
 the server servlet is under an apache directive with mod_ssl enabled
 and has no specific ssl java code : ssl connection is handled by
 apache+mod_ssl
 
 I generated my own cert CA Authority which signed my server certificate
 request :
 openssl genrsa -des -out ca.key 1024
 openssl req -new -x509 -days 365 -key ca.key -out ca.crt
 openssl genrsa -des3 -out server.key 1024
 openssl req -new -key server.key -out server.csr
 sign server.csr
 
 restart apache
 https://myurl : Ok : new certificate window prompt. I can install it in
 a browser.
 
 Now I try to access an url from my client servlet :
 First setup jsse and default provider: ok
 import ca certificate into cacert with keytool :
 openssl  x509 -in ca.crt -out ca.der -outform DER
 keytool -import -trustcacerts -alias mycatest -file ca.der  ( keytool
 accept x509 certificates)
 
 import server certificate : ( because with  the ca certificate it did
 not work )
 openssl  x509 -in servera.crt -out server.der -outform DER
 keytool -import -trustcacerts -alias mycatest -file server.der
 
 keytool -list shows the two certificates.
 
 Connection with : openssl s_client -connect localhost:443 -state -debug
 depth=1 /C=FR/ST=france/L=paris/O=mycompany/OU=par/CN=Emmanuel
 [EMAIL PROTECTED]
 verify error:num=19:self signed certificate in certificate chain
 verify return:0
 SSL_connect:SSLv3 read server certificate A
 ...
 ---
 Certificate chain
  0
 s:[EMAIL PROTECTED]
 
 i:[EMAIL PROTECTED]
  1 s:/C=FR/ST=france/L=paris/O=mycompany/OU=par/CN=nickaname
 [EMAIL PROTECTED]
i:/C=FR/ST=france/L=paris/O=mycompany/OU=par/CN=nickaname
 [EMAIL PROTECTED]
 ---
 No client certificate CA names sent
 
 New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
 Server public key is 512 bit
 SSL-Session:
 Protocol  : TLSv1
 Cipher: EDH-RSA-DES-CBC3-SHA
 Session-ID:
 610AF250BF396265C16FC34774F5AD3C7392DBCFFDF3F0336D61F1CA2251917C
 Session-ID-ctx:
 Master-Key:
 
EB3C8F5C1E6B04DB527E0EBB802CA7C6224AC77944C9FC6C342D26C0970C3509FF28DB40837BA5AB368A7BDE3D402D0A
 Key-Arg   : None
 Start Time: 966719686
 Timeout   : 300 (sec)
 Verify return code: 0 (ok)
 ---
 
 Connection with servlet / jsse :
 Compression Method: 0
 ***
 %% Created:  [Session-1, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
 ** SSL_RSA_EXPORT_WITH_RC4_40_MD5
 [read] MD5 and SHA1 hashes:  len = 74
 : 02 00 00 46 03 01 39 9E   F7 B3 CB 72 72 38 19 65
 ...F..9rr8.e
 0010: 92 AA D7

Installation Problem !

2000-08-19 Thread Vimalan.G


Hi,
During Installation of Openssl 0.9.5a ,make test fails.
I have attached the log file (make report)
can you help me in this regard ?

OpenSSL self-test report:

OpenSSL version:  0.9.5a
Last change:  Make sure _lrotl and _lrotr are only used with
MSVC
Options:  no-asm -D_REENTRANT
OS (uname):   HP-UX nnmhpt2 B.10.20 C 9000/780 2016758503 32-user
license
OS (config):  9000/780-hp-hpux10
Target (default): hpux-parisc-cc
Target:   hpux-parisc-cc
Compiler: cc: CCOPTS is not set.
cc: LPATH is /usr/lib/pa1.1:/usr/lib:/opt/langtools/lib:
/usr/ccs/bin/ld /opt/langtools/lib/crt0.o -u main -lc
cc: Entering Link editor.
/usr/ccs/bin/ld: Unsatisfied symbols:
   main

Failure!
-

making all in crypto...
ar r ../libcrypto.a cryptlib.o mem.o mem_dbg.o cversion.o
ex_data.o tmdi
ff.o cpt_err.o ebcdic.o
/usr/bin/ranlib ../libcrypto.a
making all in crypto/md2...
making all in crypto/md5...
ar r ../../libcrypto.a md5_dgst.o md5_one.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/sha...
making all in crypto/mdc2...
ar r ../../libcrypto.a mdc2dgst.o mdc2_one.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/hmac...
making all in crypto/ripemd...
making all in crypto/des...
ar r ../../libcrypto.a set_key.o  ecb_enc.o  cbc_enc.o
ecb3_enc.o cfb64
enc.o cfb64ede.o cfb_enc.o  ofb64ede.o  enc_read.o enc_writ.o
ofb64enc.o  ofb_en
c.o  str2key.o  pcbc_enc.o qud_cksm.o rand_key.o  des_enc.o fcrypt_b.o
read2pwd.
o  fcrypt.o xcbc_enc.o read_pwd.o rpc_enc.o  cbc_cksm.o  ede_cbcm_enc.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/rc2...
making all in crypto/rc4...
making all in crypto/rc5...
ar r ../../libcrypto.a rc5_skey.o rc5_ecb.o rc5_enc.o rc5cfb64.o
rc5ofb6
4.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/idea...
ar r ../../libcrypto.a i_cbc.o i_cfb64.o i_ofb64.o i_ecb.o
i_skey.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/bf...
making all in crypto/cast...
ar r ../../libcrypto.a c_skey.o c_ecb.o c_enc.o c_cfb64.o
c_ofb64.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/bn...
ar r ../../libcrypto.a bn_add.o bn_div.o bn_exp.o bn_lib.o
bn_ctx.o bn_m
ul.o  bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o  bn_gcd.o
bn_prime.o
bn_err.o bn_sqr.o bn_asm.o bn_recp.o bn_mont.o  bn_mpi.o bn_exp2.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/rsa...
ar r ../../libcrypto.a rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o
rsa_saos
.o rsa_err.o  rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o
rsa_null.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/dsa...
ar r ../../libcrypto.a dsa_gen.o dsa_key.o dsa_lib.o dsa_asn1.o
dsa_vrf.
o dsa_sign.o  dsa_err.o dsa_ossl.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/dh...
ar r ../../libcrypto.a dh_gen.o dh_key.o dh_lib.o dh_check.o
dh_err.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/buffer...
making all in crypto/bio...
ar r ../../libcrypto.a bio_lib.o bio_cb.o bio_err.o
bss_mem.o bss_null.
o bss_fd.o  bss_file.o bss_sock.o bss_conn.o  bf_null.o bf_buff.o
b_print.o b_du
mp.o  b_sock.o bss_acpt.o bf_nbio.o bss_log.o bss_bio.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/stack...
making all in crypto/lhash...
making all in crypto/rand...
ar r ../../libcrypto.a md_rand.o randfile.o rand_lib.o
rand_err.o rand_e
gd.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/err...
ar r ../../libcrypto.a err.o err_all.o err_prn.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/objects...
making all in crypto/evp...
making all in crypto/asn1...
making all in crypto/pem...
making all in crypto/x509...
making all in crypto/x509v3...
making all in crypto/conf...
ar r ../../libcrypto.a conf.o conf_err.o
/usr/bin/ranlib ../../libcrypto.a
making all in crypto/txt_db...
making all in crypto/pkcs7...
making all in crypto/pkcs12...
making all in crypto/comp...
making all in ssl...
ar r ../libssl.a s2_meth.o  s2_srvr.o  s2_clnt.o  s2_lib.o
s2_enc.o s2_
pkt.o  s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o
s3_both.o  s
23_meth.o s23_srvr.o s23_clnt.o s23_lib.o  s23_pkt.o
t1_meth.o   t1_srv
r.o t1_clnt.o  t1_lib.o  t1_enc.o  ssl_lib.o ssl_err2.o ssl_cert.o
ssl_sess.o  s
sl_ciph.o ssl_stat.o ssl_rsa.o  ssl_asn1.o ssl_txt.o ssl_algs.o
bio_ssl.o ssl_e
rr.o
/usr/bin/ranlib ../libssl.a
making all in rsaref...
making all in apps...
rm -f openssl
cc -o openssl -DMONOLITH -I../include -DTHREADS  -DNO_ASM
-D_REENTRANT -
Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY openssl.o verify.o
asn1pars
.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o  ca.o
pkcs7.o crl
2p7.o crl.o  rsa.o dsa.o

Re :problem with jsse

Installation Problem !

2 matches

Site Navigation

Mail list logo

Footer information