Weird. I would trial and error a few things. Check the keystore on CF9 with the "list" function and compare with CF10 ... see if anythings missing that missed your docs :) Try removing the jsafe setting below. Make sure your CF install has access to the folder containing the certs and can read them. Not sure I have anything to add.
-Mark -----Original Message----- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 3:45 PM To: cf-talk Subject: RE: issue with cfhttp and client certificates Mark, On the CF9 Server we're at Java version 1.6.0_17 and the arguments from the CFAdmin look like the following: "-server -Dsun.io.useCanonCaches=false -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.rootDir={application.home}/../ -Dcoldfusion.libPath={application.home}/../lib -Dcoldfusion.spooltimeout=120". On the CF10 server it's at Java version 1.7.0_15 and the args are: "-server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.home={application.home} -Dcoldfusion.rootDir={application.home} -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dcoldfusion.spooltimeout=120" Though, based on the error, I don't think this is a handshake issue. It looks like an issue where the JVM can't even open the certificate file to pass the public key on to the server. Which is why this is so strange that CF9 with the older JVM would be able to do it, but the new one can't. --Jeff -------- Original Message -------- > From: "Mark A Kruger" <mkru...@cfwebtools.com> > Sent: Thursday, July 25, 2013 1:25 PM > To: "cf-talk" <cf-talk@houseoffusion.com> > Subject: RE: issue with cfhttp and client certificates > > Jeff, > > What JVM version are you using on CF9 and what do the args look like? > Sometimes it's a matter of the handshake and levels of TLS/SSL - the error > may be not specific enough to tell. You can enable logging to get a grip on > it though. That would tell you more. > > -Mark > > > -----Original Message----- > From: Jeff Garza [mailto:j...@garzasixpack.com] > Sent: Thursday, July 25, 2013 12:25 PM > To: cf-talk > Subject: issue with cfhttp and client certificates > > > Ok, so here's the issue. A process that was working just fine on CF9 is > now broken on CF10. We have a service that we call that requires us to > submit a client certificate to the server. In CF9, this worked just fine. > Use the clientcert and clientcertpass attributes of CFHTTP and you're good > to go. It reads the .pfx file fine and everything runs... This is not a > cacerts issue as you do not have to have the key in the keystore to use > it. > Forward to CF10, the exact same code and certificates now gives the error: > > "Error while trying to get the SSL client certificate: > java.security.UnrecoverableKeyException: Could not decrypt key: Could not > decode key from BER. (Invalid encoding: expected tag not there. )." > It's like it's unable to open the .pfx certificate file. > I know this is a long shot since there are not many folks out there using > client certs, but has anyone else run across this issue? > Thanks, > Jeff Garza > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356319 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
