![]() Not sure why our SSL client has started failing to connect to remote service since then, and is there anything I need to do for our application or remote web services team need to something. Remote web service team had recently added dhparam to their SSL configuration to avoid logjam vulnerability, but they have not done any changes to their certificate. It seems that .cj.checkClientTrusted expects the algorithm used in public key should be DHE_RSA, since the algorithm used in remote web service's certificate chain is RSA - it reports an error saying Invalid authentication type. Please note that method does not do anything special - it is written to skip certificate chain validation in certain special cases, else it will delegate to #checkClientTrusted - in this case TrustManager is instance of an RSA class whose name is obfuscated in RSA jars. Basically your java SSL configuration is broken: either invalid cacerts file or invalid DavMail SSL settings. I read in the comments of this question that this error can come if algorithm is not FIPS-140 approved. First, Java looks for the TrustStore in two locations (in order): JAVAHOME/lib/security/jssecacerts JAVAHOME/lib/security/cacerts We can overwrite the default location with the parameter. However, the certificate chain validation seems to fail with below exception: : Invalid authentication type: DHE_RSAĪt .cj.checkClientTrusted(Unknown Source)Īt (ReloadableX509TrustManager.java:65)Īt .aS.startHandshake(Unknown Source)Īt .(SSLConnectionSocketFactory.java:261)Īt .(HttpClientConnectionOperator.java:118)Ĭan anyone please guide me what is the meaning of "Invalid authentication type: DHE_RSA"? Prior to DH Cipher enablement in back end webservice, this authentication type used to be "RSA", and we never faced any issue. Let's now have a look at a TrustStore location and format in Java. After that change, the cipher that gets selected for SSL is TLS_DHE_RSA_WITH_AES_256_GCM_SHA384. Recently the web service team made changes on their end to enable DH ciphers. Our application uses FIPS-140 Level-1 for SSL/TLS connectivity, and is based on JCE providers of RSA (the company). I think the 64-bit Java installer might be to blame here, rather than DavMail itself.I have an application that connects to a remote web service deployed on HTTPS. ini file would need to be manually updated if/when you updated Java. Hope that helps someone - it was simple enough just to install Davmail as 32bit and given the functionality of the utility, I can't see how it makes much difference. ini file, the path to the 64-bit jvm.dll would always contain the revision of Java installed, and the entry in the. I found that simply installing the 32bit version of Davmail works fine, but the 64bit version can't find Java installed (even though I have a 64bit version of java jvm installed). But even if it successfully did that and created the. ![]() To automatically generate the davmail64.ini file during installation in the absence of any environmental setup by Java-64, the DavMail installer would have to go searching for the 64-bit jvm.dll in "C:\Program Files\Java". Please note that method does not do anything special - it is written to skip certificate chain validation in certain special cases, else it will delegate to - in this case TrustManager is instance of an RSA class whose name is obfuscated in RSA jars. ![]() storeclasspath:server.jks -storeclasspath:server.jks. If you happen to have specified your trust store location as the same as your keystore in the Spring Boot configuration, you'll likely get the trustAnchors parameter must be non-empty message when starting the application. The 32-bit Java installer does - it adds "C:\Program Files (x86)\Common Files\Oracle\Java\javapath" to the "Path" variable, and "javapath" is maintained as a shortcut to the directory containing the actual version installed. If you happen to have specified your trust store location as the same as your keystore in the Spring Boot configuration, you'll likely get the trustAnchors parameter must be non-empty message when starting the application. The problem is due to the way that Tomcat deals with the trust store. handling exception: : Unexpected error: curity. you have a list of certificate authority (CA) certificates you trust (this is your trust store). Client Authentication Tomcat - trustAnchors parameter must be non-empty. and follow instructions at DavMail Setup on windows. This is a way for you to allow or disallow access to your web resources. Windows: Download installation package davmail- version -setup.exe or davmail- version -setup64.exe for 64 bits Java. The PKIXParameters object is used for client certificate validation. ![]() From what I can gather, the 64-bit Java installer doesn't add anything to the environment that would allow DavMail to pick up the path to the jvm.dll file. Some brief and simplified background just case its not clear. ![]()
0 Comments
Leave a Reply. |