Thanks Glen. Yes it works with the default provider. tstclnt fails with the error Issuer certificate is invalid.
When I used with option -o (Override bad server cert), it works fine. The certificate wes used is a Self signed certificate. So, probably tstclnt didn't like it. One more thing is, OpenSSL based c client is able to communicate with server successfully. Thanks, Sreedhar On Apr 2, 4:52 pm, Glen Beasley <glen.beas...@sun.com> wrote: > hi, > > can you successfully connect to your server using JSSE with it's > default provider? meaning > not using mozilla-JSS as the provider? > > I know you have used ssltap can you use NSS tool tstclnt? > > tstclnt -h <hostname> -p <port> -d <your nss cert db dir> -v -2 -3 -c v > > If you want full client auth specify your cert nickname with -n <your > cert nickname> > > If the JSSE works with the default provider, and tstclnt works then open > a bug on JSS with steps to recreate issue. > > -glen > > > > ksreedha...@gmail.com wrote: > > Thanks Nelson for the reply. > > > Jss version is 4.2.5 > > JRE version is 1.6 > > NSS vesion is 3.11.4 > > > See my comments inline. > > On Apr 1, 8:45 pm, Nelson B Bolyard <nel...@bolyard.me> wrote: > > >> ksreedha...@gmail.com wrote, On 2009-04-01 17:54: > > >>> Hello, > > >>> I am [using] Mozilla-JSS as the provider in my Java application which > >>> is a SSL client connecting to OpenSSL based SSL Server. > > >> You haven't reported version information, such as: > >> - version of JDK/JRE > >> - version of JSS > >> - version of NSS > >> It's possible that you have a version mismatch of some sort. > > >>> I am using the cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA" and we are > >>> using TLSv1.0 as the SSL protocol. > > >>> I get this exception when I try to connect to the server. Server has a > >>> self signed RSA based certificate. > > >> I have rearranged the stack below, so that it appears as one continuous > >> stack, with the first (or "root cause") exception at the top. > > >>> I thought premaster secret key is generated by the Client and encrypt > >>> using the public key of the certificate so that Server will decrypt using > >>> its private key. > > >> That's correct for the cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA". > > >>> Can some one tell me what I am missing here and what this exception > >>> means? > > >> The first exception reported in this stack, namely: > > >>> java.security.InvalidKeyException: Invalid key type: > >>> org.mozilla.jss.pkcs11.PK11RSAPublicKey > > >> says that the failure occurred when trying to encrypt the pre-master secret > >> with the RSA public key. The exception reports that the key it was given > >> as > >> the pre-master secret, to be encrypted with the server's RSA public key, > >> was > >> actually not a pre-master secret, but rather was an RSA public key. > > > But the premaster secret key is generated internally right? > > >> The code that threw the first exception may be seen at > > >>>http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/jss/org/... > >>> at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.importKey > >>> (JSSCipherSpi.java:123) > >>> at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit > >>> (JSSCipherSpi.java:161) > >>> at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit > >>> (JSSCipherSpi.java:270) > >>> at javax.crypto.Cipher.init(DashoA13*..) > >>> at com.sun.net.ssl.internal.ssl.JCE_RSACipher.encryptInit > >>> (RSACipher.java:76) > >>> at com.sun.net.ssl.internal.ssl.PreMasterSecret.<init> > >>> (PreMasterSecret.java:83) > > >> Consequently, it was unable to create an RSA-encrypted pre-master secret > >> (also know as the "RSA pre-master secret"), and this is what the second > >> exception is complaining about. > > >>> (which caused) javax.net.ssl.SSLKeyException: RSA premaster secret error > >>> at com.sun.net.ssl.internal.ssl.PreMasterSecret.<init> > >>> (PreMasterSecret.java:86) > >>> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone > >>> (ClientHandshaker.java:439) > >>> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage > >>> (ClientHandshaker.java:132) > >>> at com.sun.net.ssl.internal.ssl.Handshaker.process_record > >>> (Handshaker.java:334) > >>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord > >>> (SSLSocketImpl.java:805) > >>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake > >>> (SSLSocketImpl.java:1046) > >>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake > >>> (SSLSocketImpl.java:1059) > >>> at com.fhp.ems.main.TestSecurity_SSL.testSSL (TestSecurity_SSL.java:218) > >>> at com.fhp.ems.main.TestSecurity_SSL.main (TestSecurity_SSL.java:69) > > >> Maybe Glen can tell us more about diagnosing this failure. > > > > smime.p7s > 6KViewDownload- Hide quoted text - > > - Show quoted text - -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
