I tried CFMX 7.02 using the built in 1.4.2_09 JVM and the 1.4.2_11 JVM, but both reported a CFHTTP failure of "I/O Exception: peer not authenticated" even after I imported the jhu certificate into the cacerts used by the JVM under ColdFusion and verified it with the keytool list output (and of course I restarted CF as well).
ColdFusion was successful with https://login.yahoo.com and https://www.google.com, but not with the jhu.edu site. I traced the connections from CFHTTP to watch the events unfold, and I traced my Firefox connection to jhu.edu as well. Here's some screenshots of the traces, although I don't have any conclusions to draw from them yet: a) Trace of Firefox to jhu.edu http://www.talkingtree.com/images/jhu_firefox_server_hello.jpg b) Trace of CF7.02 CFHTTP to jhu.edu http://www.talkingtree.com/images/jhu_trace_server_hello.jpg c) Trace of CF7.02 CFHTTP to yahoo http://www.talkingtree.com/images/yahoo_login_trace.jpg d) Trace of CF7.02 CFHTTP to google http://www.talkingtree.com/images/google_trace.jpg Traces a, c, and d are show a successful exchange, and trace b shows the failure. Traces a and b to jhu.edu show a Client Hello in frame 4 and a Server Hello in frame 6. Trace a then shows firefox sending a Client Master Key to jhu.edu on frame 7, but trace b shows CFMX sending some Encrypted Data followed by a FIN and RST flag back to jhu.edu, thus ending the connection. Trace b goes on to show that CFHTTP tries 3 times, but continues to fail. The there are 6 key types (Cipher specs) in Firefox, and 4 key types in the JVM under CF (shown in the middle of screenshots a and b), although Firefox in frame 7 uses SSL2_RC4_128_WITH_MD5 as the Cipher Spec, which is common to Firefox and CF's JVM. The only other interesting observation is that Yahoo and Google use TLS (the 'new' SSL protocol), and jhu.edu uses SSLv2 which should work. That's all I've got for now... -Steven Erat > -----Original Message----- > From: Rob Wilkerson [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 02, 2006 11:16 AM > To: CF-Talk > Subject: Re: CFHTTP, SSL and Certificates (Obligatory "Oh My") > > Sadly, I'm already using the 1.4.2_09 JVM for my CF implementation so > I guess this won't help me much. > > It's a lot to ask, I know, but would someone mind trying to CFHTTP the > URI below by following the "standard" process? > > https://www.controller.jhu.edu/staff/phone_book/phone_co.jsp > > I'd like to ensure that it's not my environment. Or, if it is my > environment, try to understand why my environment is causing me so > many headaches. > > Thanks. > > Rob > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258937 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4