You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by venkatesham nalla <v_...@hotmail.com> on 2013/09/18 04:55:45 UTC
SSL issue on AIX with IBM JDK 7 JVM
Hi,
I am testing CXF 2.7.6 on AIX 6.1 with IBM J9 JDK 7 JVM. The client and server are on two different machines of same kind in both the cases IBM JVM (same version) is used. Both the servers has trustore/keystores based on Verisign signed local CA who signs the certificate for the respective machines.
Server Side SSL Configuration:<httpj:engine-factory bus="cxf"> <httpj:engine port="7643"> <httpj:tlsServerParameters secureSocketProtocol="SSL"> <csec:trustManagers> <csec:keyStore type="JKS" password="..." file="server.jks"/> </csec:trustManagers> <csec:keyManagers keyPassword="..."> <csec:keyStore type="JKS" password="..." file="server.jks"/> </csec:keyManagers> <csec:clientAuthentication want="false" required="false"/> </httpj:tlsServerParameters> </httpj:engine> </httpj:engine-factory>
Client Side SSL Configuration:
<http:conduit name="*.http-conduit"> <http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="SSL"> <sec:trustManagers> <sec:keyStore type="JKS" password="..." file="client.jks"/> </sec:trustManagers> </http:tlsClientParameters> </http:conduit>
I am getting the following error:
[java] Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: Violated path length constraints [java] at com.ibm.jsse2.j.a(j.java:39) [java] at com.ibm.jsse2.qc.a(qc.java:337) [java] at com.ibm.jsse2.ab.a(ab.java:225) [java] at com.ibm.jsse2.ab.a(ab.java:162) [java] at com.ibm.jsse2.bb.a(bb.java:352) [java] at com.ibm.jsse2.bb.a(bb.java:13) [java] at com.ibm.jsse2.ab.r(ab.java:75) [java] at com.ibm.jsse2.ab.a(ab.java:532) [java] at com.ibm.jsse2.qc.a(qc.java:158) [java] at com.ibm.jsse2.qc.h(qc.java:272) [java] at com.ibm.jsse2.qc.a(qc.java:234) [java] at com.ibm.jsse2.qc.startHandshake(qc.java:8) [java] at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:111) [java] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:18) [java] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1099) [java] at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:11) [java] at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168) [java] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1278) [java] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1234) [java] at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195) [java] at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) [java] at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) [java] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1291) [java] ... 16 more [java] Caused by: com.ibm.jsse2.util.h: Violated path length constraints
It works fine with IBM JDK 6 using spring configuration files shown above as well as Oracle/Sun JDK 7 on laptop.
However it works fine, when the truststore is configured on the command line of java client process using JDK 7:
java -Dcxf.config.file=client.xml -Djavax.net.debug=all -Djavax.net.ssl.trustStore=client.jks -Djavax.net.ssl.trustStorePassword=... -Dhttps.protocols=SSLv3 com.mycomany.Client
configuration file is without any SSL configuration as shown below (client.xml): <http:conduit name="*.http-conduit">
</http:conduit>
Appreciate any help on resolving this issue.
Thanks,Venkat
RE: SSL issue on AIX with IBM JDK 7 JVM
Posted by venkatesham nalla <v_...@hotmail.com>.
Hi,
Any have come across this situation. Appreciate your help.
Thanks,Venkat
> From: v_nalla@hotmail.com
> To: users@cxf.apache.org
> Subject: SSL issue on AIX with IBM JDK 7 JVM
> Date: Wed, 18 Sep 2013 02:55:45 +0000
>
> Hi,
> I am testing CXF 2.7.6 on AIX 6.1 with IBM J9 JDK 7 JVM. The client and server are on two different machines of same kind in both the cases IBM JVM (same version) is used. Both the servers has trustore/keystores based on Verisign signed local CA who signs the certificate for the respective machines.
> Server Side SSL Configuration:<httpj:engine-factory bus="cxf"> <httpj:engine port="7643"> <httpj:tlsServerParameters secureSocketProtocol="SSL"> <csec:trustManagers> <csec:keyStore type="JKS" password="..." file="server.jks"/> </csec:trustManagers> <csec:keyManagers keyPassword="..."> <csec:keyStore type="JKS" password="..." file="server.jks"/> </csec:keyManagers> <csec:clientAuthentication want="false" required="false"/> </httpj:tlsServerParameters> </httpj:engine> </httpj:engine-factory>
> Client Side SSL Configuration:
> <http:conduit name="*.http-conduit"> <http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="SSL"> <sec:trustManagers> <sec:keyStore type="JKS" password="..." file="client.jks"/> </sec:trustManagers> </http:tlsClientParameters> </http:conduit>
> I am getting the following error:
> [java] Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: Violated path length constraints [java] at com.ibm.jsse2.j.a(j.java:39) [java] at com.ibm.jsse2.qc.a(qc.java:337) [java] at com.ibm.jsse2.ab.a(ab.java:225) [java] at com.ibm.jsse2.ab.a(ab.java:162) [java] at com.ibm.jsse2.bb.a(bb.java:352) [java] at com.ibm.jsse2.bb.a(bb.java:13) [java] at com.ibm.jsse2.ab.r(ab.java:75) [java] at com.ibm.jsse2.ab.a(ab.java:532) [java] at com.ibm.jsse2.qc.a(qc.java:158) [java] at com.ibm.jsse2.qc.h(qc.java:272) [java] at com.ibm.jsse2.qc.a(qc.java:234) [java] at com.ibm.jsse2.qc.startHandshake(qc.java:8) [java] at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:111) [java] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:18) [java] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1099) [java] at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:11) [java] at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168) [java] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1278) [java] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1234) [java] at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195) [java] at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) [java] at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) [java] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1291) [java] ... 16 more [java] Caused by: com.ibm.jsse2.util.h: Violated path length constraints
> It works fine with IBM JDK 6 using spring configuration files shown above as well as Oracle/Sun JDK 7 on laptop.
> However it works fine, when the truststore is configured on the command line of java client process using JDK 7:
> java -Dcxf.config.file=client.xml -Djavax.net.debug=all -Djavax.net.ssl.trustStore=client.jks -Djavax.net.ssl.trustStorePassword=... -Dhttps.protocols=SSLv3 com.mycomany.Client
> configuration file is without any SSL configuration as shown below (client.xml): <http:conduit name="*.http-conduit">
> </http:conduit>
>
> Appreciate any help on resolving this issue.
> Thanks,Venkat
>
>