You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Tim Wild <ti...@solnetsolutions.co.nz> on 2004/06/12 05:36:48 UTC
Invalid RSA modulus size
Hi,
I'm using HttpClient to connect to an apache server that requires
certificates. When I use client and server certificates from my own CA
with 1024 bit keys it works perfectly. When I get a commercial
certificate with a longer key (4096 bits), I get the following error
(full message below) when I connect to apache:
javax.net.ssl.SSLProtocolException: java.io.IOException: subject key,
Unknown key spec: Invalid RSA modulus size.
Google produced one result, which talked about a maximum key size using
the JCE of 2048 bits using the JDK 1.4.2 default policy files. Another
site suggested getting the unrestricted policy files, so I got and
installed them, but it doesn't seem to make any difference at all.
Does anyone have any thought or suggestions? Half formed thoughs or
ideas are welcome as it might give me a lead that I can follow myself.
Thanks
Tim Wild
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
Re: Invalid RSA modulus size
Posted by Oleg Kalnichevski <ol...@apache.org>.
Tim,
Unfortunately not. Sorry
Oleg
On Wed, 2004-07-14 at 00:40, Tim Wild wrote:
> Oleg,
>
> You wouldn't happen to know if this is a bug that's been reported on the
> bug parade would you? I've looked through the bug parade and the JDK1.5
> release notes with no luck. It'd be very helpful to be able to quote a
> bug number to my project manager about why we can't use certificates
> from a particular vendor.
>
> Thanks
>
> Tim
>
> Oleg Kalnichevski wrote:
>
> >Tim,
> >
> >This is believed to be a limitation of all Sun's JCE/JSSE
> >implementations up to Java version 1.5. You can try testing your
> >application with Java 1.5-b2 to see if the problem has indeed been
> >fixed. Alternatively consider using IBM Java 1.4 or 3rd party JCE/JSSE
> >implementations which _may_ not exhibit the same limitation
> >
> >HTH
> >
> >Oleg
> >
> >On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
> >
> >
> >>Hi,
> >>
> >>I'm using HttpClient to connect to an apache server that requires
> >>certificates. When I use client and server certificates from my own CA
> >>with 1024 bit keys it works perfectly. When I get a commercial
> >>certificate with a longer key (4096 bits), I get the following error
> >>(full message below) when I connect to apache:
> >>
> >>javax.net.ssl.SSLProtocolException: java.io.IOException: subject key,
> >>Unknown key spec: Invalid RSA modulus size.
> >>
> >>Google produced one result, which talked about a maximum key size using
> >>the JCE of 2048 bits using the JDK 1.4.2 default policy files. Another
> >>site suggested getting the unrestricted policy files, so I got and
> >>installed them, but it doesn't seem to make any difference at all.
> >>
> >>Does anyone have any thought or suggestions? Half formed thoughs or
> >>ideas are welcome as it might give me a lead that I can follow myself.
> >>
> >>Thanks
> >>
> >>Tim Wild
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> >>
> >>
> >>
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
Re: Invalid RSA modulus size
Posted by Tim Wild <ti...@solnetsolutions.co.nz>.
Oleg,
You wouldn't happen to know if this is a bug that's been reported on the
bug parade would you? I've looked through the bug parade and the JDK1.5
release notes with no luck. It'd be very helpful to be able to quote a
bug number to my project manager about why we can't use certificates
from a particular vendor.
Thanks
Tim
Oleg Kalnichevski wrote:
>Tim,
>
>This is believed to be a limitation of all Sun's JCE/JSSE
>implementations up to Java version 1.5. You can try testing your
>application with Java 1.5-b2 to see if the problem has indeed been
>fixed. Alternatively consider using IBM Java 1.4 or 3rd party JCE/JSSE
>implementations which _may_ not exhibit the same limitation
>
>HTH
>
>Oleg
>
>On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
>
>
>>Hi,
>>
>>I'm using HttpClient to connect to an apache server that requires
>>certificates. When I use client and server certificates from my own CA
>>with 1024 bit keys it works perfectly. When I get a commercial
>>certificate with a longer key (4096 bits), I get the following error
>>(full message below) when I connect to apache:
>>
>>javax.net.ssl.SSLProtocolException: java.io.IOException: subject key,
>>Unknown key spec: Invalid RSA modulus size.
>>
>>Google produced one result, which talked about a maximum key size using
>>the JCE of 2048 bits using the JDK 1.4.2 default policy files. Another
>>site suggested getting the unrestricted policy files, so I got and
>>installed them, but it doesn't seem to make any difference at all.
>>
>>Does anyone have any thought or suggestions? Half formed thoughs or
>>ideas are welcome as it might give me a lead that I can follow myself.
>>
>>Thanks
>>
>>Tim Wild
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
Re: Invalid RSA modulus size
Posted by Michael Becke <be...@u.washington.edu>.
Hi Tim,
This generally means the the server's cert is signed by an untrusted
CA. You can get around this in a couple of ways.
- import the servers cert into the keystore you are using
- implement a SSL socket factory that is not so picky about who signed
the cert. This is not recommended for production use but can be useful
for testing. Take a look at the EasySSLProtocolSocketFactory described
in <http://jakarta.apache.org/commons/httpclient/sslguide.html> for an
example.
- Sign your server cert with a CA that is trusted by JSSE. Please
take a look at the JSSE docs for info about which CAs are trusted.
Mike
On Jun 14, 2004, at 10:19 PM, Tim Wild wrote:
> Thanks for that Oleg. Using JDK 1.5.0b2 does indeed get past the
> "invalid modulus size" error. I've got another error message now:
> "javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: No trusted certificate
> found".
>
> My apache server has a certificate from a certification authority
> called Digital Identity, in New Zealand. They have a root certificate
> authority, then two sub-CAs (perhaps called chained CAs). My server
> certificate and client certificate are chained under one of these
> sub-CAs. When I use Mozilla it all works perfectly, it requests the
> certificate, the browser presents it, and I can see the page I
> requested.
>
> When I try the same thing using Java I get the error message above. I
> have a keystore with just my client certiciate in it (nothing else),
> the same client certificate that works in Mozilla. I know it's finding
> the certificate because i'm having Java print out the alias of the
> certificate it's using. The CA certs are in the cacerts file of the
> JDK1.5 i'm using.
>
> Does anyone have any idea why i'm getting this error? Any thoughts or
> ideas about how to go forward or things to investigate would be
> welcome.
>
> Thanks
>
> Tim
>
> Oleg Kalnichevski wrote:
>
>> Tim,
>>
>> This is believed to be a limitation of all Sun's JCE/JSSE
>> implementations up to Java version 1.5. You can try testing your
>> application with Java 1.5-b2 to see if the problem has indeed been
>> fixed. Alternatively consider using IBM Java 1.4 or 3rd party JCE/JSSE
>> implementations which _may_ not exhibit the same limitation
>>
>> HTH
>>
>> Oleg
>>
>> On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
>>
>>> Hi,
>>>
>>> I'm using HttpClient to connect to an apache server that requires
>>> certificates. When I use client and server certificates from my own
>>> CA with 1024 bit keys it works perfectly. When I get a commercial
>>> certificate with a longer key (4096 bits), I get the following error
>>> (full message below) when I connect to apache:
>>>
>>> javax.net.ssl.SSLProtocolException: java.io.IOException: subject
>>> key, Unknown key spec: Invalid RSA modulus size.
>>>
>>> Google produced one result, which talked about a maximum key size
>>> using the JCE of 2048 bits using the JDK 1.4.2 default policy files.
>>> Another site suggested getting the unrestricted policy files, so I
>>> got and installed them, but it doesn't seem to make any difference
>>> at all.
>>>
>>> Does anyone have any thought or suggestions? Half formed thoughs or
>>> ideas are welcome as it might give me a lead that I can follow
>>> myself.
>>>
>>> Thanks
>>>
>>> Tim Wild
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail:
>>> commons-httpclient-dev-help@jakarta.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> commons-httpclient-dev-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail:
>> commons-httpclient-dev-help@jakarta.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
Re: Invalid RSA modulus size
Posted by Tim Wild <ti...@solnetsolutions.co.nz>.
Thanks for that Oleg. Using JDK 1.5.0b2 does indeed get past the
"invalid modulus size" error. I've got another error message now:
"javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found".
My apache server has a certificate from a certification authority called
Digital Identity, in New Zealand. They have a root certificate
authority, then two sub-CAs (perhaps called chained CAs). My server
certificate and client certificate are chained under one of these
sub-CAs. When I use Mozilla it all works perfectly, it requests the
certificate, the browser presents it, and I can see the page I requested.
When I try the same thing using Java I get the error message above. I
have a keystore with just my client certiciate in it (nothing else), the
same client certificate that works in Mozilla. I know it's finding the
certificate because i'm having Java print out the alias of the
certificate it's using. The CA certs are in the cacerts file of the
JDK1.5 i'm using.
Does anyone have any idea why i'm getting this error? Any thoughts or
ideas about how to go forward or things to investigate would be welcome.
Thanks
Tim
Oleg Kalnichevski wrote:
>Tim,
>
>This is believed to be a limitation of all Sun's JCE/JSSE
>implementations up to Java version 1.5. You can try testing your
>application with Java 1.5-b2 to see if the problem has indeed been
>fixed. Alternatively consider using IBM Java 1.4 or 3rd party JCE/JSSE
>implementations which _may_ not exhibit the same limitation
>
>HTH
>
>Oleg
>
>On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
>
>
>>Hi,
>>
>>I'm using HttpClient to connect to an apache server that requires
>>certificates. When I use client and server certificates from my own CA
>>with 1024 bit keys it works perfectly. When I get a commercial
>>certificate with a longer key (4096 bits), I get the following error
>>(full message below) when I connect to apache:
>>
>>javax.net.ssl.SSLProtocolException: java.io.IOException: subject key,
>>Unknown key spec: Invalid RSA modulus size.
>>
>>Google produced one result, which talked about a maximum key size using
>>the JCE of 2048 bits using the JDK 1.4.2 default policy files. Another
>>site suggested getting the unrestricted policy files, so I got and
>>installed them, but it doesn't seem to make any difference at all.
>>
>>Does anyone have any thought or suggestions? Half formed thoughs or
>>ideas are welcome as it might give me a lead that I can follow myself.
>>
>>Thanks
>>
>>Tim Wild
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
Re: Invalid RSA modulus size
Posted by Roland Weber <RO...@de.ibm.com>.
Hello Tim,
from what I know about the export regulations, shipping
working crypto code that is just disabled through some
configuration file is not acceptable. You will have to
obtain a full-strength JCE/JSSE implementation. Either
a US-only version of the JDK, or a non-US implementation
of the library which is not subject to US or other export
restrictions on cryptography.
cheers,
Roland
Tim Wild <ti...@solnetsolutions.co.nz>
21.06.2004 05:19
Please respond to
"Commons HttpClient Project"
To
Commons HttpClient Project <co...@jakarta.apache.org>
cc
Subject
Re: Invalid RSA modulus size
Does anyone know if the Unlimited Strength Jurisdiction Policy Files are
meant to solve this problem, or is it actually a bug with the JDK1.4?
The policy files don't help me at all on the JDK1.4.
Thanks
Tim
Oleg Kalnichevski wrote:
>Tim,
>
>This is believed to be a limitation of all Sun's JCE/JSSE
>implementations up to Java version 1.5. You can try testing your
>application with Java 1.5-b2 to see if the problem has indeed been
>fixed. Alternatively consider using IBM Java 1.4 or 3rd party JCE/JSSE
>implementations which _may_ not exhibit the same limitation
>
>HTH
>
>Oleg
>
>On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
>
>
>>Hi,
>>
>>I'm using HttpClient to connect to an apache server that requires
>>certificates. When I use client and server certificates from my own CA
>>with 1024 bit keys it works perfectly. When I get a commercial
>>certificate with a longer key (4096 bits), I get the following error
>>(full message below) when I connect to apache:
>>
>>javax.net.ssl.SSLProtocolException: java.io.IOException: subject key,
>>Unknown key spec: Invalid RSA modulus size.
>>
>>Google produced one result, which talked about a maximum key size using
>>the JCE of 2048 bits using the JDK 1.4.2 default policy files. Another
>>site suggested getting the unrestricted policy files, so I got and
>>installed them, but it doesn't seem to make any difference at all.
>>
>>Does anyone have any thought or suggestions? Half formed thoughs or
>>ideas are welcome as it might give me a lead that I can follow myself.
>>
>>Thanks
>>
>>Tim Wild
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail:
commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail:
commons-httpclient-dev-help@jakarta.apache.org
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail:
commons-httpclient-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail:
commons-httpclient-dev-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail:
commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail:
commons-httpclient-dev-help@jakarta.apache.org
Re: Invalid RSA modulus size
Posted by Tim Wild <ti...@solnetsolutions.co.nz>.
Does anyone know if the Unlimited Strength Jurisdiction Policy Files are
meant to solve this problem, or is it actually a bug with the JDK1.4?
The policy files don't help me at all on the JDK1.4.
Thanks
Tim
Oleg Kalnichevski wrote:
>Tim,
>
>This is believed to be a limitation of all Sun's JCE/JSSE
>implementations up to Java version 1.5. You can try testing your
>application with Java 1.5-b2 to see if the problem has indeed been
>fixed. Alternatively consider using IBM Java 1.4 or 3rd party JCE/JSSE
>implementations which _may_ not exhibit the same limitation
>
>HTH
>
>Oleg
>
>On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
>
>
>>Hi,
>>
>>I'm using HttpClient to connect to an apache server that requires
>>certificates. When I use client and server certificates from my own CA
>>with 1024 bit keys it works perfectly. When I get a commercial
>>certificate with a longer key (4096 bits), I get the following error
>>(full message below) when I connect to apache:
>>
>>javax.net.ssl.SSLProtocolException: java.io.IOException: subject key,
>>Unknown key spec: Invalid RSA modulus size.
>>
>>Google produced one result, which talked about a maximum key size using
>>the JCE of 2048 bits using the JDK 1.4.2 default policy files. Another
>>site suggested getting the unrestricted policy files, so I got and
>>installed them, but it doesn't seem to make any difference at all.
>>
>>Does anyone have any thought or suggestions? Half formed thoughs or
>>ideas are welcome as it might give me a lead that I can follow myself.
>>
>>Thanks
>>
>>Tim Wild
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
Re: Invalid RSA modulus size
Posted by Tim Wild <ti...@solnetsolutions.co.nz>.
Thanks for that Oleg, you were indeed correct. Using JDK1.4 I couldn't
get this to work, but it worked pefectly on 1.5.0 beta 2. I had a few
problems getting all my certificates in the right place, but in the end
I got there. Eric, your -trustcacerts was helpful too, and thanks to
everyone who made suggestions.
We're using Sybase EAServer, and we're locked into using JDK 1.4.2_03.
Because of this I think i'll need to look into 3rd party JSSE or JCE
implementations. Bouncycastle is the only provider I know of, but they
don't seem to support TLS. Google isn't helping me much here. Does
anyone know of a suitable provider that might have a working version of
JSSE/JCE?
FYI the error i'm talking getting is:
javax.net.ssl.SSLProtocolException: java.io.IOException: subject key,
Unknown key spec: Invalid RSA modulus size.
One tip I found: if you generate your private key using openssl, then
get a certificate back from a CA, it can be hard to get this into your
Java keystore. The only way I know to do it is to create a pkcs12
certificate containing both your public and private key, the using
keytoolgui you have to use the "import key pair" option instead of using
"import certificate". The java keytool can't do this because it doesn't
understand pcsk12, and there's no way I could find to import a private
key. The other option is to generate your private key using keytool, but
it's difficult to get the private key out of the keystore. Incidentally
keytoolgui has now been turned into a commercial product, but the old
one still works if you can find it.
I hope this helps someone, and I appreciate any suggestions anyone has
about my problem.
Tim
Oleg Kalnichevski wrote:
>Tim,
>
>This is believed to be a limitation of all Sun's JCE/JSSE
>implementations up to Java version 1.5. You can try testing your
>application with Java 1.5-b2 to see if the problem has indeed been
>fixed. Alternatively consider using IBM Java 1.4 or 3rd party JCE/JSSE
>implementations which _may_ not exhibit the same limitation
>
>HTH
>
>Oleg
>
>On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
>
>
>>Hi,
>>
>>I'm using HttpClient to connect to an apache server that requires
>>certificates. When I use client and server certificates from my own CA
>>with 1024 bit keys it works perfectly. When I get a commercial
>>certificate with a longer key (4096 bits), I get the following error
>>(full message below) when I connect to apache:
>>
>>javax.net.ssl.SSLProtocolException: java.io.IOException: subject key,
>>Unknown key spec: Invalid RSA modulus size.
>>
>>Google produced one result, which talked about a maximum key size using
>>the JCE of 2048 bits using the JDK 1.4.2 default policy files. Another
>>site suggested getting the unrestricted policy files, so I got and
>>installed them, but it doesn't seem to make any difference at all.
>>
>>Does anyone have any thought or suggestions? Half formed thoughs or
>>ideas are welcome as it might give me a lead that I can follow myself.
>>
>>Thanks
>>
>>Tim Wild
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
Re: Invalid RSA modulus size
Posted by Oleg Kalnichevski <ol...@apache.org>.
Tim,
This is believed to be a limitation of all Sun's JCE/JSSE
implementations up to Java version 1.5. You can try testing your
application with Java 1.5-b2 to see if the problem has indeed been
fixed. Alternatively consider using IBM Java 1.4 or 3rd party JCE/JSSE
implementations which _may_ not exhibit the same limitation
HTH
Oleg
On Sat, 2004-06-12 at 05:36, Tim Wild wrote:
> Hi,
>
> I'm using HttpClient to connect to an apache server that requires
> certificates. When I use client and server certificates from my own CA
> with 1024 bit keys it works perfectly. When I get a commercial
> certificate with a longer key (4096 bits), I get the following error
> (full message below) when I connect to apache:
>
> javax.net.ssl.SSLProtocolException: java.io.IOException: subject key,
> Unknown key spec: Invalid RSA modulus size.
>
> Google produced one result, which talked about a maximum key size using
> the JCE of 2048 bits using the JDK 1.4.2 default policy files. Another
> site suggested getting the unrestricted policy files, so I got and
> installed them, but it doesn't seem to make any difference at all.
>
> Does anyone have any thought or suggestions? Half formed thoughs or
> ideas are welcome as it might give me a lead that I can follow myself.
>
> Thanks
>
> Tim Wild
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org