unsupported keyword OID.2.5.4.17

The problem

Exception in thread "main" java.io.IOException: unsupported keyword OID.2.5.4.17
        at com.sun.net.ssl.internal.ssl.AVA.<init>(DashoA12275(Compiled Code))
        at com.sun.net.ssl.internal.ssl.RDN.<init>(DashoA12275(Compiled Code))
        at com.sun.net.ssl.internal.ssl.X500Name.a(DashoA12275(Compiled Code))
        at com.sun.net.ssl.internal.ssl.X500Name.<init>(DashoA12275)
        at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a(DashoA12275)
        at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a(DashoA12275)
        at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a(DashoA12275)
        at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect(DashoA12275)
        at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream(DashoA12275)

What’s your fault when a client running your application for more than 5 years is now receiving this error when its security provider finally upgraded it’s certificates to include: OID.2.5.4.17=<9 digit zip> now standard in almost all certificates.

Upgrade you might say but this is not simple considering that the client is AIX based:

java version "1.3.1"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1)
Classic VM (build 1.3.1, J2RE 1.3.1 IBM AIX build ca131-20030630a (JIT enabled: jitc))

Solution?

  • upgrade JSSE. No. JSSE is in EOL for some time now.
  • try to use the JSSE from 1.4.2. No, this version is not pluggable.
  • upgrade to java 1.4.2 which is not an easy task in these conditions
  • you soon realize that the IBM java has a special implementation of JSSE found in the ibmjsse.jar file so the code written in java 1.3 for the jsse plugable module is not working with the ibmjsse implementation with error:
Classe java introuvable :  com/sun/net/ssl/internal/ssl/Provider
  • finally the solution is to remove from your code the following part:
 Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
 System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
  • it only remains the problem to compile 5 years old code :)

One Response

  1. this saves me..

    thanks..

Leave a Reply

*