Re: Orion SSL? How?
Keith, My experience is follow the instructions, and carefully read the instructions between the lines. Think hard when it doesn't work (there is an answer), and if you get really stuck, mail the list. Rgds, Mick - Original Message - From: "keith kwiatek" <[EMAIL PROTECTED]> To: "Orion-Interest" <[EMAIL PROTECTED]> Sent: 12 July 2000 04:25 Subject: Orion SSL? How? > Hello, > > I saw the brief FAQ on how to set up Orion SSL... > > http://www.orionserver.com/docs/ssl-howto.html > > but I also saw alot of problems people posted trying to get it work... What is the current state of instructions for getting Orion SSL to work? > > What is the non-brief version of the SSL installation instructions? > > Is it 128 bit encryption? > > Any pointers from experienced people? > > Thanks, > Keith > >
Re: SSL key generation, yet again
I had something very similar with Windows98 and JDK1.2.2. I had to install JSSE 1.0.1 to get the RSA algorithm (and configure a new security provider in jre/lib/security/java/security). Rgds, Mick - Original Message - From: "Joseph B. Ottinger" <[EMAIL PROTECTED]> To: "Orion-Interest" <[EMAIL PROTECTED]> Sent: 08 July 2000 12:52 Subject: SSL key generation, yet again > Okay, this is very frustrating. :( > > I'm using Sun's JDK 1.3.0 for Linux, Orion 1.1.9. Output from java > -version: > > java version "1.3.0beta" > Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0beta-b07) > Java HotSpot(TM) Client VM (build 1.3.0beta-b04, mixed mode) > > > I've tried the SSL-howto steps from www.orionserver.com; if I > use -keyalg "RSA", I get this message: > > keytool error: java.security.NoSuchAlgorithmException: RSA > KeyPairGenerator not available > > That's fairly self-explanatory, although odd. So, being intrepid and all, > I simply remove the RSA specification, since this is just a test cert, > after all. > > That allows me to create the keystore. The key password for is > left as the same as the keystore password. > > So I go happily along my way, generating the .csr file with no obvious > difficulty. I go to thawte.com, as the howto suggests. My only deviation > from the howto is, as mentioned, the elimination of '-keyalg "RSA"' from > the keytool invocation. > > At thawte.com, I post my certificate request via IE5, set validity for 360 > days, valid from now, type of certificate is "Test SSL Chained CA Cert", > and use the default certificate format. I hit the "Generate Test > Certificate" submit button and get a certificate, in PKCS #7 SIGNED DATA > format. > > I take the certificate source, cat it into a .cer file, as the howto > suggests. > > And here's where things start falling apart. > > % keytool -keystore keystore -import -trustcacerts -file cupid.cer > Enter keystore password: 123456 > keytool error: java.lang.Exception: Certificate chain in reply does not > verify: MD5WITHRSA Signature not available > > Well, since I don't have RSA in the JDK, I suppose that makes sense. > > However, there's not a lot I can do about it, since chained certs > apparently only use the RSA algorithm; thawte says they ignore any > specifications for chained CA certs, using ONLY PKCS #7 for these. I don't > know where to get a version of the RSA algorithm for JSSE (I downloaded > the JSSE stuff from Sun, but Orion's version looks more recent, so I'm > using Orion's). jcert.jar does, in fact, have an MD5RSA algorithm, but I > have no idea how to tell Java that, or why it's not realising it on its > own. > > Can anyone help? This is a critical issue for me and I am royally stuck. > > --- > Joseph B. Ottinger [EMAIL PROTECTED] > http://cupid.suninternet.com/~joeo HOMES.COM Developer > > >
Re: SSL problems
Some thoughts: - Check the version of Java you're using - When using JDK1.2.2 I needed to also install jsse1.0.1 to pick up the security classes - If you've got JDK1.3 I think the classes are included (so I'm no help) Rgds, Mick - Original Message - From: "Peter" <[EMAIL PROTECTED]> To: "Orion-Interest" <[EMAIL PROTECTED]> Sent: 15 June 2000 17:56 Subject: SSL problems > Hi there, > > > I've tried to follow the ssl-howto but I can't get orion to start my > secure site. > This is the error I've got: > > Error starting HttpServer: Unable to intialize SSLServerSocketFactory > 'com.everm > ind.ssl.JSSESSLServerSocketFactory': Unrecoverable key error: Cannot > recover key > > Orion/1.0rc1 (Internal build 5) initialized > > > Any suggestion ? > > Thanx, > Peter > >
Re: Specifying a particular cert server for Orion/SSL
Andy, I've been struggling with client certs, my question is attached, any help appreciated. My thoughts on your problem - have you tried removing the Verisign cert from cacerts in jre/lib/security/cacerts? In my config there's a Verisign cert there by default (keytool -list -v -keystore cacerts). At least you're getting the ability to use a Verisign cert, I'm getting nowhere! Rgds, Mick - Original Message - From: "Andy Lawrence" <[EMAIL PROTECTED]> To: "Orion-Interest" <[EMAIL PROTECTED]> Sent: 12 June 2000 22:57 Subject: Specifying a particular cert server for Orion/SSL > Hi, > > When setting up SSL in Orion, how can I specify that the SSL portion of > Orion should ONLY accept client certs that were issued from a particular > host? IE, if I have a private CA that issues client certs for my > application, how can I accept ONLY those, and not those from Verisign? > > TIA > > Help on the following appreciated: Having done the following: - configured Orion for SSL Client Authentication (as below) - obtained certificate from Thawte - checked that the CA root cert (corresponding to my cert) is in jre\lib\security\cacerts IE5 presents me with the choice of no certificates when accessing the secure web site. NN5 shows my list of certs, but attempted access with the Thawte cert fails. Any ideas? Solutions or "where to look" would help! I had assumed that I should be able to add trusted CA certs somewhere so that I could allow anyone with a cert from a trusted CA into the site. Is this possible? If so, how? Also, I don't fully understand the significance of ssl-user-registration.jsp. Why would I want a user with a cert to register (I trust him)? Have I missed something fundamental here? Thanks, Mick Here's the web-site config:
SSL Client Authentication
Having done the following: - configured Orion for SSL Client Authentication (as below) - obtained certificate from Thawte - checked that the CA root cert (corresponding to my cert) is in jre\lib\security\cacerts IE5 presents me with the choice of no certificates when accessing the secure web site. NN5 shows my list of certs, but attempted access with the Thawte cert fails. Any ideas? Solutions or "where to look" would help! I had assumed that I should be able to add trusted CA certs somewhere so that I could allow anyone with a cert from a trusted CA into the site. Is this possible? If so, how? Also, I don't fully understand the significance of ssl-user-registration.jsp. Why would I want a user with a cert to register (I trust him)? Have I missed something fundamental here? Thanks, Mick Here's the web-site config: