23 Čec
2018
23 Čec
'18
12:52
On 23/07/18 12:39, Piotr Przybył wrote:
On 23/07/18 11:56, Dr P Nyirenda wrote:
Last, but not least.
If
a) the first EPP message is working for them, but not the second, third, and so on
and
b) they're using Java 7 or above (I really hope so)
and
c) mod_epp.c code didn't get changed in FRED (needs to be confirmed by CZ.NIC team) in
the version
you're using
What might help is disabling CBC mode. E.g. this way:
System.setProperty("jsse.enableCBCProtection", "false");
The answer is that CBC is default since Java 7 (one of the things not documented
(properly) in
change log) and FRED (at least at the time I was testing it) isn't able to handle
CBC.
Best regards
Piotr
Good morning,
I have a new registrar that is trying to use Java for EPP connections to our .mw FRED
server
and they are having a problem on how to use SSL digital keys and SSL certificates in
their
Java EPP client
They want to import the SSL private key and digital certificate into their Java EPP
client.
.
The e-mail address of the registrar is domain(a)idcicp.com and their skype IP is
slowturtlej
.
As of now they are trying something like the following:
openssl pkcs12 -export -clcerts -in topnets.cert.pem -inkey topnets.key.pem -out
clientuser.p12
keytool -importkeystore -srckeystore clientuser1p12 -srcstoretype PKCS12 -deststoretype
JKS -destkeystore ServerKeystore.jks
Let me know if you can help and please, if you can, also communicate to them direcly on
the
above address and skype ID.
Regards,
Paulos
Greetings
Before all, make them aware that this is not working like HTTPS, but both parties are
sending SSL*
encrypted data. So they need not only to accept FRED's (CA) certificate, but also
encrypt traffic
going from them to FRED.
Assuming you have custom certificates from FRED...
First they can convert FRED's CA cert to X.509 format:
openssl x509 -in cacert.pem -out cacert.cer
Then import X.509 certificate into trusted cacers for Java
keytool -keystore /path/to/cacerts -storepass changeit -import -alias youralias -file
/path/to/cacert.cer
Then they need to create this p12 keystore with their cert and priv key.
Check the relevant section in
https://docs.oracle.com/cd/E19509-01/820-3503/6nf1il6er/index.html, if
the commands sent by them don't work.
Important part is to make their programme use that keystore ;-)