You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by Rick McGuire <ri...@gmail.com> on 2008/07/01 16:43:54 UTC
Setting up the server for TLS.
I'm in the process of adding SSL support to the Geronimo javamail NNTP
providers. I wish to use James as my target test server for this, but
I'm a bit of a newbie when it comes to keystores/truststores. Can
anybody give me a recipe for configuring the necessary keystores and
truststores to allow allow this environment to function? I've found the
documentation on Using TLS in the James documentation, but the part
about actually creating the keystore is a bit glossed over.
Rick
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: Setting up the server for TLS.
Posted by Rick McGuire <ri...@gmail.com>.
I guess I've partially answered my own question. If I run the James
server using Java 1.4.2, then everything seems to work ok. It looks
like there might be some incompatibility in the SSL setup moving to Java 5.
Rick
Stefano Bagnara wrote:
> Rick McGuire ha scritto:
>> I'm in the process of adding SSL support to the Geronimo javamail
>> NNTP providers. I wish to use James as my target test server for
>> this, but I'm a bit of a newbie when it comes to
>> keystores/truststores. Can anybody give me a recipe for configuring
>> the necessary keystores and truststores to allow allow this
>> environment to function? I've found the documentation on Using TLS
>> in the James documentation, but the part about actually creating the
>> keystore is a bit glossed over.
>> Rick
>
> Hi Rick,
>
> try with this doc:
> http://wiki.apache.org/james/UsingSSL
>
> Stefano
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: Setting up the server for TLS.
Posted by Robert Burrell Donkin <ro...@gmail.com>.
On Wed, Jul 2, 2008 at 2:53 PM, Stefano Bagnara <ap...@bago.org> wrote:
> Rick McGuire ha scritto:
>>
>> Stefano Bagnara wrote:
>>>
>>> Rick McGuire ha scritto:
>>>>
>>>> Thanks Stefano, that helped. I'm getting closer, but I'm still having a
>>>> problem. I created the server cert using the directions you pointed me
>>>> toward, and added the cert to the truststore using the directions I found
>>>> here:
>>>>
>>>> http://www.site.uottawa.ca/~lpeyton/csi5389genkeystore.html
>>>>
>>>> Now I'm getting an error on the server when I try to connect. See the
>>>> log at the end. I'm running this on
>>>>
>>>> java version "1.5.0_11"
>>>> Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03)
>>>> Java HotSpot(TM) Client VM (build 1.5.0_11-b03, mixed mode)
>>>>
>>>> Which I've used for successful SSL connections to other servers, so I
>>>> suspect the problem is in either the server configuration or the cert I
>>>> added to the truststore. I'm sort of hit a dead end at this point, so any
>>>> assistance is very much appreciated.
>>>
>>> Hi Rick,
>>>
>>> the jce lib you copy to JAMES_HOME/lib have to be the same of the JVM you
>>> use to run JAMES.
>>> So if you want to run JAMES with java 1.5 you will also have to replace
>>> your 1.4 JCE in JAMES_HOME/lib with the 1.5 JCE.
>>>
>>> Not sure this is your issue, let me know.
>>
>> I'm not sure I understand this....I didn't copy any JCE to the
>> JAMES_HOME/lib directory. However, I just went and double checked, and the
>> JVM version that worked was not 1.4.2 like I believed, but rather 1.6. Is
>> the JCE included in 1.4.2, but not in 1.6?
>> Rick
>
> I don't use SSL, but AFAIK you have to copy the JCE from the JRE you use to
> run JAMES as described in the config.xml:
> <!-- JAMES TLS uses JSSE. This means that for many Sun JVMs,
> the sunjce_provider.jar must be copied from $JAVA_HOME/lib/ext
> into $JAMES_HOME/lib. It may also be necessary to download and
> install unlimited strength policies. -->
> <!--
> <useTLS>true</useTLS>
> -->
> <!-- Use provider elements to specify additional JCE providers.
> The jars should be put into $JAMES_HOME/lib.
> For example, Uncomment this if you want to use
> BouncyCastle JCE (http://www.bouncycastle.org)
> <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider> -->
>
> I think this is true at least for java2 1.4 and java5... let us know,
bouncy castle is a much better bet for JVM independence: IIRC the JCE
characteristics seem to vary widely with different sun releases
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: Setting up the server for TLS.
Posted by Stefano Bagnara <ap...@bago.org>.
Rick McGuire ha scritto:
> Stefano Bagnara wrote:
>> Rick McGuire ha scritto:
>>> Thanks Stefano, that helped. I'm getting closer, but I'm still
>>> having a problem. I created the server cert using the directions you
>>> pointed me toward, and added the cert to the truststore using the
>>> directions I found here:
>>>
>>> http://www.site.uottawa.ca/~lpeyton/csi5389genkeystore.html
>>>
>>> Now I'm getting an error on the server when I try to connect. See
>>> the log at the end. I'm running this on
>>>
>>> java version "1.5.0_11"
>>> Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03)
>>> Java HotSpot(TM) Client VM (build 1.5.0_11-b03, mixed mode)
>>>
>>> Which I've used for successful SSL connections to other servers, so I
>>> suspect the problem is in either the server configuration or the cert
>>> I added to the truststore. I'm sort of hit a dead end at this point,
>>> so any assistance is very much appreciated.
>>
>> Hi Rick,
>>
>> the jce lib you copy to JAMES_HOME/lib have to be the same of the JVM
>> you use to run JAMES.
>> So if you want to run JAMES with java 1.5 you will also have to
>> replace your 1.4 JCE in JAMES_HOME/lib with the 1.5 JCE.
>>
>> Not sure this is your issue, let me know.
> I'm not sure I understand this....I didn't copy any JCE to the
> JAMES_HOME/lib directory. However, I just went and double checked, and
> the JVM version that worked was not 1.4.2 like I believed, but rather
> 1.6. Is the JCE included in 1.4.2, but not in 1.6?
> Rick
I don't use SSL, but AFAIK you have to copy the JCE from the JRE you use
to run JAMES as described in the config.xml:
<!-- JAMES TLS uses JSSE. This means that for many Sun JVMs,
the sunjce_provider.jar must be copied from $JAVA_HOME/lib/ext
into $JAMES_HOME/lib. It may also be necessary to download and
install unlimited strength policies. -->
<!--
<useTLS>true</useTLS>
-->
<!-- Use provider elements to specify additional JCE providers.
The jars should be put into $JAMES_HOME/lib.
For example, Uncomment this if you want to use
BouncyCastle JCE (http://www.bouncycastle.org)
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider> -->
I think this is true at least for java2 1.4 and java5... let us know,
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: Setting up the server for TLS.
Posted by Rick McGuire <ri...@gmail.com>.
Stefano Bagnara wrote:
> Rick McGuire ha scritto:
>> Thanks Stefano, that helped. I'm getting closer, but I'm still
>> having a problem. I created the server cert using the directions you
>> pointed me toward, and added the cert to the truststore using the
>> directions I found here:
>>
>> http://www.site.uottawa.ca/~lpeyton/csi5389genkeystore.html
>>
>> Now I'm getting an error on the server when I try to connect. See
>> the log at the end. I'm running this on
>>
>> java version "1.5.0_11"
>> Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03)
>> Java HotSpot(TM) Client VM (build 1.5.0_11-b03, mixed mode)
>>
>> Which I've used for successful SSL connections to other servers, so I
>> suspect the problem is in either the server configuration or the cert
>> I added to the truststore. I'm sort of hit a dead end at this point,
>> so any assistance is very much appreciated.
>
> Hi Rick,
>
> the jce lib you copy to JAMES_HOME/lib have to be the same of the JVM
> you use to run JAMES.
> So if you want to run JAMES with java 1.5 you will also have to
> replace your 1.4 JCE in JAMES_HOME/lib with the 1.5 JCE.
>
> Not sure this is your issue, let me know.
I'm not sure I understand this....I didn't copy any JCE to the
JAMES_HOME/lib directory. However, I just went and double checked, and
the JVM version that worked was not 1.4.2 like I believed, but rather
1.6. Is the JCE included in 1.4.2, but not in 1.6?
Rick
> Stefano
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: Setting up the server for TLS.
Posted by Stefano Bagnara <ap...@bago.org>.
Rick McGuire ha scritto:
> Thanks Stefano, that helped. I'm getting closer, but I'm still having a
> problem. I created the server cert using the directions you pointed me
> toward, and added the cert to the truststore using the directions I
> found here:
>
> http://www.site.uottawa.ca/~lpeyton/csi5389genkeystore.html
>
> Now I'm getting an error on the server when I try to connect. See the
> log at the end. I'm running this on
>
> java version "1.5.0_11"
> Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03)
> Java HotSpot(TM) Client VM (build 1.5.0_11-b03, mixed mode)
>
> Which I've used for successful SSL connections to other servers, so I
> suspect the problem is in either the server configuration or the cert I
> added to the truststore. I'm sort of hit a dead end at this point, so
> any assistance is very much appreciated.
Hi Rick,
the jce lib you copy to JAMES_HOME/lib have to be the same of the JVM
you use to run JAMES.
So if you want to run JAMES with java 1.5 you will also have to replace
your 1.4 JCE in JAMES_HOME/lib with the 1.5 JCE.
Not sure this is your issue, let me know.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: Setting up the server for TLS.
Posted by Rick McGuire <ri...@gmail.com>.
Thanks Stefano, that helped. I'm getting closer, but I'm still having a
problem. I created the server cert using the directions you pointed me
toward, and added the cert to the truststore using the directions I
found here:
http://www.site.uottawa.ca/~lpeyton/csi5389genkeystore.html
Now I'm getting an error on the server when I try to connect. See the
log at the end. I'm running this on
java version "1.5.0_11"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03)
Java HotSpot(TM) Client VM (build 1.5.0_11-b03, mixed mode)
Which I've used for successful SSL connections to other servers, so I
suspect the problem is in either the server configuration or the cert I
added to the truststore. I'm sort of hit a dead end at this point, so
any assistance is very much appreciated.
Rick
01/07/08 13:03:42 INFO nntpserver: NNTP Service will allow a maximum of
30 connections.
01/07/08 13:03:42 INFO nntpserver: NNTP Service started ssl:563
01/07/08 13:03:52 ERROR nntpserver: Exception during
connection:Connection has been shutdown: javax.net.ssl.SSLException:
Algorithm missing:
javax.net.ssl.SSLException: Connection has been shutdown:
javax.net.ssl.SSLException: Algorithm missing:
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1173)
at
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:65)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:254)
at java.io.BufferedInputStream.read(BufferedInputStream.java:313)
at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:411)
at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:453)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:183)
at java.io.InputStreamReader.read(InputStreamReader.java:167)
at java.io.BufferedReader.fill(BufferedReader.java:136)
at java.io.BufferedReader.readLine(BufferedReader.java:299)
at java.io.BufferedReader.readLine(BufferedReader.java:362)
at
org.apache.james.nntpserver.NNTPHandler.handleConnection(NNTPHandler.java:418)
at
org.apache.james.util.connection.ServerConnection$ClientConnectionRunner.run(ServerConnection.java:432)
at
org.apache.excalibur.thread.impl.ExecutableRunnable.execute(ExecutableRunnable.java:55)
at
org.apache.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:116)
Caused by: javax.net.ssl.SSLException: Algorithm missing:
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.changeReadCiphers(SSLSocketImpl.java:1662)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:886)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at sun.nio.cs.StreamEncoder$CharsetSE.implFlush(StreamEncoder.java:410)
at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:152)
at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:213)
at java.io.BufferedWriter.flush(BufferedWriter.java:236)
at java.io.PrintWriter.flush(PrintWriter.java:270)
at
org.apache.james.util.InternetPrintWriter.println(InternetPrintWriter.java:92)
at
org.apache.james.util.InternetPrintWriter.println(InternetPrintWriter.java:189)
at
org.apache.james.nntpserver.NNTPHandler.writeLoggedFlushedResponse(NNTPHandler.java:1716)
at
org.apache.james.nntpserver.NNTPHandler.handleConnection(NNTPHandler.java:414)
... 3 more
Caused by: java.security.NoSuchAlgorithmException: Cannot find any
provider supporting RC4
at javax.crypto.Cipher.getInstance(DashoA12275)
at com.sun.net.ssl.internal.ssl.JsseJce.getCipher(JsseJce.java:90)
at com.sun.net.ssl.internal.ssl.CipherBox.<init>(CipherBox.java:84)
at
com.sun.net.ssl.internal.ssl.CipherBox.newCipherBox(CipherBox.java:118)
at
com.sun.net.ssl.internal.ssl.CipherSuite$BulkCipher.newCipher(CipherSuite.java:443)
at
com.sun.net.ssl.internal.ssl.Handshaker.newReadCipher(Handshaker.java:335)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.changeReadCiphers(SSLSocketImpl.java:1658)
... 18 more
Stefano Bagnara wrote:
> Rick McGuire ha scritto:
>> I'm in the process of adding SSL support to the Geronimo javamail
>> NNTP providers. I wish to use James as my target test server for
>> this, but I'm a bit of a newbie when it comes to
>> keystores/truststores. Can anybody give me a recipe for configuring
>> the necessary keystores and truststores to allow allow this
>> environment to function? I've found the documentation on Using TLS
>> in the James documentation, but the part about actually creating the
>> keystore is a bit glossed over.
>> Rick
>
> Hi Rick,
>
> try with this doc:
> http://wiki.apache.org/james/UsingSSL
>
> Stefano
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: Setting up the server for TLS.
Posted by Stefano Bagnara <ap...@bago.org>.
Rick McGuire ha scritto:
> I'm in the process of adding SSL support to the Geronimo javamail NNTP
> providers. I wish to use James as my target test server for this, but
> I'm a bit of a newbie when it comes to keystores/truststores. Can
> anybody give me a recipe for configuring the necessary keystores and
> truststores to allow allow this environment to function? I've found the
> documentation on Using TLS in the James documentation, but the part
> about actually creating the keystore is a bit glossed over.
> Rick
Hi Rick,
try with this doc:
http://wiki.apache.org/james/UsingSSL
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org