Long shot, but what is the key length on the encryption? Could it be an issue with the encryption capabilities currently set on the new JVM for CF10?
Explanation: http://www.petefreitag.com/item/803.cfm On Jul 25, 2013, at 4:44 PM, "Jeff Garza" <j...@garzasixpack.com> wrote: > > Mark, > > On the CF9 Server we're at Java version 1.6.0_17 and the arguments from > the CFAdmin look like the following: "-server -Dsun.io.useCanonCaches=false > -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch > -Dcoldfusion.rootDir={application.home}/../ > -Dcoldfusion.libPath={application.home}/../lib > -Dcoldfusion.spooltimeout=120". > > On the CF10 server it's at Java version 1.7.0_15 and the args are: > "-server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch > -Dcoldfusion.home={application.home} > -Dcoldfusion.rootDir={application.home} > -Dcoldfusion.libPath={application.home}/lib > -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true > -Dcoldfusion.jsafe.defaultalgo=FIPS186Random > -Dcoldfusion.spooltimeout=120" > > Though, based on the error, I don't think this is a handshake issue. It > looks like an issue where the JVM can't even open the certificate file to > pass the public key on to the server. Which is why this is so strange that > CF9 with the older JVM would be able to do it, but the new one can't. > --Jeff > > -------- Original Message -------- >> From: "Mark A Kruger" <mkru...@cfwebtools.com> >> Sent: Thursday, July 25, 2013 1:25 PM >> To: "cf-talk" <cf-talk@houseoffusion.com> >> Subject: RE: issue with cfhttp and client certificates >> >> Jeff, >> >> What JVM version are you using on CF9 and what do the args look like? >> Sometimes it's a matter of the handshake and levels of TLS/SSL - the > error >> may be not specific enough to tell. You can enable logging to get a grip > on >> it though. That would tell you more. >> >> -Mark >> >> >> -----Original Message----- >> From: Jeff Garza [mailto:j...@garzasixpack.com] >> Sent: Thursday, July 25, 2013 12:25 PM >> To: cf-talk >> Subject: issue with cfhttp and client certificates >> >> >> Ok, so here's the issue. A process that was working just fine on CF9 is > >> now broken on CF10. We have a service that we call that requires us to >> submit a client certificate to the server. In CF9, this worked just > fine. >> Use the clientcert and clientcertpass attributes of CFHTTP and you're > good >> to go. It reads the .pfx file fine and everything runs... This is not a > >> cacerts issue as you do not have to have the key in the keystore to use >> it. >> Forward to CF10, the exact same code and certificates now gives the > error: >> >> "Error while trying to get the SSL client certificate: >> java.security.UnrecoverableKeyException: Could not decrypt key: Could not > >> decode key from BER. (Invalid encoding: expected tag not there. )." >> It's like it's unable to open the .pfx certificate file. >> I know this is a long shot since there are not many folks out there using > >> client certs, but has anyone else run across this issue? >> Thanks, >> Jeff Garza > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356322 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm