|
»
»
»
Setting up the server for TLS.
|
View:
New views
8 Messages
—
Rating Filter:
Alert me
|
 |
Setting up the server for TLS.
by Rick McGuire
::
Rate this Message:
I'm in the process of adding SSL support to the Geronimo javamail NNTP
providers. I wish to use James as my target test server for this, but I'm a bit of a newbie when it comes to keystores/truststores. Can anybody give me a recipe for configuring the necessary keystores and truststores to allow allow this environment to function? I've found the documentation on Using TLS in the James documentation, but the part about actually creating the keystore is a bit glossed over. Rick --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscribe@... For additional commands, e-mail: server-dev-help@... |
|
|
Re: Setting up the server for TLS.
by Stefano Bagnara-2
::
Rate this Message:
Rick McGuire ha scritto:
> I'm in the process of adding SSL support to the Geronimo javamail NNTP > providers. I wish to use James as my target test server for this, but > I'm a bit of a newbie when it comes to keystores/truststores. Can > anybody give me a recipe for configuring the necessary keystores and > truststores to allow allow this environment to function? I've found the > documentation on Using TLS in the James documentation, but the part > about actually creating the keystore is a bit glossed over. > Rick Hi Rick, try with this doc: http://wiki.apache.org/james/UsingSSL Stefano --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscribe@... For additional commands, e-mail: server-dev-help@... |
|
|
Re: Setting up the server for TLS.
by Rick McGuire
::
Rate this Message:
Thanks Stefano, that helped. I'm getting closer, but I'm still having a
problem. I created the server cert using the directions you pointed me toward, and added the cert to the truststore using the directions I found here: http://www.site.uottawa.ca/~lpeyton/csi5389genkeystore.html Now I'm getting an error on the server when I try to connect. See the log at the end. I'm running this on java version "1.5.0_11" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03) Java HotSpot(TM) Client VM (build 1.5.0_11-b03, mixed mode) Which I've used for successful SSL connections to other servers, so I suspect the problem is in either the server configuration or the cert I added to the truststore. I'm sort of hit a dead end at this point, so any assistance is very much appreciated. Rick 01/07/08 13:03:42 INFO nntpserver: NNTP Service will allow a maximum of 30 connections. 01/07/08 13:03:42 INFO nntpserver: NNTP Service started ssl:563 01/07/08 13:03:52 ERROR nntpserver: Exception during connection:Connection has been shutdown: javax.net.ssl.SSLException: Algorithm missing: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Algorithm missing: at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1173) at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:65) at java.io.BufferedInputStream.read1(BufferedInputStream.java:254) at java.io.BufferedInputStream.read(BufferedInputStream.java:313) at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:411) at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:453) at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:183) at java.io.InputStreamReader.read(InputStreamReader.java:167) at java.io.BufferedReader.fill(BufferedReader.java:136) at java.io.BufferedReader.readLine(BufferedReader.java:299) at java.io.BufferedReader.readLine(BufferedReader.java:362) at org.apache.james.nntpserver.NNTPHandler.handleConnection(NNTPHandler.java:418) at org.apache.james.util.connection.ServerConnection$ClientConnectionRunner.run(ServerConnection.java:432) at org.apache.excalibur.thread.impl.ExecutableRunnable.execute(ExecutableRunnable.java:55) at org.apache.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:116) Caused by: javax.net.ssl.SSLException: Algorithm missing: at com.sun.net.ssl.internal.ssl.SSLSocketImpl.changeReadCiphers(SSLSocketImpl.java:1662) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:886) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123) at sun.nio.cs.StreamEncoder$CharsetSE.implFlush(StreamEncoder.java:410) at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:152) at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:213) at java.io.BufferedWriter.flush(BufferedWriter.java:236) at java.io.PrintWriter.flush(PrintWriter.java:270) at org.apache.james.util.InternetPrintWriter.println(InternetPrintWriter.java:92) at org.apache.james.util.InternetPrintWriter.println(InternetPrintWriter.java:189) at org.apache.james.nntpserver.NNTPHandler.writeLoggedFlushedResponse(NNTPHandler.java:1716) at org.apache.james.nntpserver.NNTPHandler.handleConnection(NNTPHandler.java:414) ... 3 more Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RC4 at javax.crypto.Cipher.getInstance(DashoA12275) at com.sun.net.ssl.internal.ssl.JsseJce.getCipher(JsseJce.java:90) at com.sun.net.ssl.internal.ssl.CipherBox.<init>(CipherBox.java:84) at com.sun.net.ssl.internal.ssl.CipherBox.newCipherBox(CipherBox.java:118) at com.sun.net.ssl.internal.ssl.CipherSuite$BulkCipher.newCipher(CipherSuite.java:443) at com.sun.net.ssl.internal.ssl.Handshaker.newReadCipher(Handshaker.java:335) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.changeReadCiphers(SSLSocketImpl.java:1658) ... 18 more Stefano Bagnara wrote: > Rick McGuire ha scritto: >> I'm in the process of adding SSL support to the Geronimo javamail >> NNTP providers. I wish to use James as my target test server for >> this, but I'm a bit of a newbie when it comes to >> keystores/truststores. Can anybody give me a recipe for configuring >> the necessary keystores and truststores to allow allow this >> environment to function? I've found the documentation on Using TLS >> in the James documentation, but the part about actually creating the >> keystore is a bit glossed over. >> Rick > > Hi Rick, > > try with this doc: > http://wiki.apache.org/james/UsingSSL > > Stefano > > --------------------------------------------------------------------- > To unsubscribe, e-mail: server-dev-unsubscribe@... > For additional commands, e-mail: server-dev-help@... > > --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscribe@... For additional commands, e-mail: server-dev-help@... |
|
|
Re: Setting up the server for TLS.
by Rick McGuire
::
Rate this Message:
I guess I've partially answered my own question. If I run the James
server using Java 1.4.2, then everything seems to work ok. It looks like there might be some incompatibility in the SSL setup moving to Java 5. Rick Stefano Bagnara wrote: > Rick McGuire ha scritto: >> I'm in the process of adding SSL support to the Geronimo javamail >> NNTP providers. I wish to use James as my target test server for >> this, but I'm a bit of a newbie when it comes to >> keystores/truststores. Can anybody give me a recipe for configuring >> the necessary keystores and truststores to allow allow this >> environment to function? I've found the documentation on Using TLS >> in the James documentation, but the part about actually creating the >> keystore is a bit glossed over. >> Rick > > Hi Rick, > > try with this doc: > http://wiki.apache.org/james/UsingSSL > > Stefano > > --------------------------------------------------------------------- > To unsubscribe, e-mail: server-dev-unsubscribe@... > For additional commands, e-mail: server-dev-help@... > > --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscribe@... For additional commands, e-mail: server-dev-help@... |
|
|
Re: Setting up the server for TLS.
by Stefano Bagnara-2
::
Rate this Message:
Rick McGuire ha scritto:
> Thanks Stefano, that helped. I'm getting closer, but I'm still having a > problem. I created the server cert using the directions you pointed me > toward, and added the cert to the truststore using the directions I > found here: > > http://www.site.uottawa.ca/~lpeyton/csi5389genkeystore.html > > Now I'm getting an error on the server when I try to connect. See the > log at the end. I'm running this on > > java version "1.5.0_11" > Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03) > Java HotSpot(TM) Client VM (build 1.5.0_11-b03, mixed mode) > > Which I've used for successful SSL connections to other servers, so I > suspect the problem is in either the server configuration or the cert I > added to the truststore. I'm sort of hit a dead end at this point, so > any assistance is very much appreciated. Hi Rick, the jce lib you copy to JAMES_HOME/lib have to be the same of the JVM you use to run JAMES. So if you want to run JAMES with java 1.5 you will also have to replace your 1.4 JCE in JAMES_HOME/lib with the 1.5 JCE. Not sure this is your issue, let me know. Stefano --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscribe@... For additional commands, e-mail: server-dev-help@... |
|
|
Re: Setting up the server for TLS.
by Rick McGuire
::
Rate this Message:
Stefano Bagnara wrote:
> Rick McGuire ha scritto: >> Thanks Stefano, that helped. I'm getting closer, but I'm still >> having a problem. I created the server cert using the directions you >> pointed me toward, and added the cert to the truststore using the >> directions I found here: >> >> http://www.site.uottawa.ca/~lpeyton/csi5389genkeystore.html >> >> Now I'm getting an error on the server when I try to connect. See >> the log at the end. I'm running this on >> >> java version "1.5.0_11" >> Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03) >> Java HotSpot(TM) Client VM (build 1.5.0_11-b03, mixed mode) >> >> Which I've used for successful SSL connections to other servers, so I >> suspect the problem is in either the server configuration or the cert >> I added to the truststore. I'm sort of hit a dead end at this point, >> so any assistance is very much appreciated. > > Hi Rick, > > the jce lib you copy to JAMES_HOME/lib have to be the same of the JVM > you use to run JAMES. > So if you want to run JAMES with java 1.5 you will also have to > replace your 1.4 JCE in JAMES_HOME/lib with the 1.5 JCE. > > Not sure this is your issue, let me know. JAMES_HOME/lib directory. However, I just went and double checked, and the JVM version that worked was not 1.4.2 like I believed, but rather 1.6. Is the JCE included in 1.4.2, but not in 1.6? Rick > Stefano > > --------------------------------------------------------------------- > To unsubscribe, e-mail: server-dev-unsubscribe@... > For additional commands, e-mail: server-dev-help@... > > --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscribe@... For additional commands, e-mail: server-dev-help@... |
|
|
Re: Setting up the server for TLS.
by Stefano Bagnara-2
::
Rate this Message:
Rick McGuire ha scritto:
> Stefano Bagnara wrote: >> Rick McGuire ha scritto: >>> Thanks Stefano, that helped. I'm getting closer, but I'm still >>> having a problem. I created the server cert using the directions you >>> pointed me toward, and added the cert to the truststore using the >>> directions I found here: >>> >>> http://www.site.uottawa.ca/~lpeyton/csi5389genkeystore.html >>> >>> Now I'm getting an error on the server when I try to connect. See >>> the log at the end. I'm running this on >>> >>> java version "1.5.0_11" >>> Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03) >>> Java HotSpot(TM) Client VM (build 1.5.0_11-b03, mixed mode) >>> >>> Which I've used for successful SSL connections to other servers, so I >>> suspect the problem is in either the server configuration or the cert >>> I added to the truststore. I'm sort of hit a dead end at this point, >>> so any assistance is very much appreciated. >> >> Hi Rick, >> >> the jce lib you copy to JAMES_HOME/lib have to be the same of the JVM >> you use to run JAMES. >> So if you want to run JAMES with java 1.5 you will also have to >> replace your 1.4 JCE in JAMES_HOME/lib with the 1.5 JCE. >> >> Not sure this is your issue, let me know. > I'm not sure I understand this....I didn't copy any JCE to the > JAMES_HOME/lib directory. However, I just went and double checked, and > the JVM version that worked was not 1.4.2 like I believed, but rather > 1.6. Is the JCE included in 1.4.2, but not in 1.6? > Rick I don't use SSL, but AFAIK you have to copy the JCE from the JRE you use to run JAMES as described in the config.xml: <!-- JAMES TLS uses JSSE. This means that for many Sun JVMs, the sunjce_provider.jar must be copied from $JAVA_HOME/lib/ext into $JAMES_HOME/lib. It may also be necessary to download and install unlimited strength policies. --> <!-- <useTLS>true</useTLS> --> <!-- Use provider elements to specify additional JCE providers. The jars should be put into $JAMES_HOME/lib. For example, Uncomment this if you want to use BouncyCastle JCE (http://www.bouncycastle.org) <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider> --> I think this is true at least for java2 1.4 and java5... let us know, Stefano --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscribe@... For additional commands, e-mail: server-dev-help@... |
|
|
Re: Setting up the server for TLS.
by robert burrell donkin-2
::
Rate this Message:
On Wed, Jul 2, 2008 at 2:53 PM, Stefano Bagnara <apache@...> wrote:
> Rick McGuire ha scritto: >> >> Stefano Bagnara wrote: >>> >>> Rick McGuire ha scritto: >>>> >>>> Thanks Stefano, that helped. I'm getting closer, but I'm still having a >>>> problem. I created the server cert using the directions you pointed me >>>> toward, and added the cert to the truststore using the directions I found >>>> here: >>>> >>>> http://www.site.uottawa.ca/~lpeyton/csi5389genkeystore.html >>>> >>>> Now I'm getting an error on the server when I try to connect. See the >>>> log at the end. I'm running this on >>>> >>>> java version "1.5.0_11" >>>> Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03) >>>> Java HotSpot(TM) Client VM (build 1.5.0_11-b03, mixed mode) >>>> >>>> Which I've used for successful SSL connections to other servers, so I >>>> suspect the problem is in either the server configuration or the cert I >>>> added to the truststore. I'm sort of hit a dead end at this point, so any >>>> assistance is very much appreciated. >>> >>> Hi Rick, >>> >>> the jce lib you copy to JAMES_HOME/lib have to be the same of the JVM you >>> use to run JAMES. >>> So if you want to run JAMES with java 1.5 you will also have to replace >>> your 1.4 JCE in JAMES_HOME/lib with the 1.5 JCE. >>> >>> Not sure this is your issue, let me know. >> >> I'm not sure I understand this....I didn't copy any JCE to the >> JAMES_HOME/lib directory. However, I just went and double checked, and the >> JVM version that worked was not 1.4.2 like I believed, but rather 1.6. Is >> the JCE included in 1.4.2, but not in 1.6? >> Rick > > I don't use SSL, but AFAIK you have to copy the JCE from the JRE you use to > run JAMES as described in the config.xml: > <!-- JAMES TLS uses JSSE. This means that for many Sun JVMs, > the sunjce_provider.jar must be copied from $JAVA_HOME/lib/ext > into $JAMES_HOME/lib. It may also be necessary to download and > install unlimited strength policies. --> > <!-- > <useTLS>true</useTLS> > --> > <!-- Use provider elements to specify additional JCE providers. > The jars should be put into $JAMES_HOME/lib. > For example, Uncomment this if you want to use > BouncyCastle JCE (http://www.bouncycastle.org) > <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider> --> > > I think this is true at least for java2 1.4 and java5... let us know, bouncy castle is a much better bet for JVM independence: IIRC the JCE characteristics seem to vary widely with different sun releases - robert --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscribe@... For additional commands, e-mail: server-dev-help@... |
| Free Forum Powered by Nabble | Forum Help |