The .pfx is a RSA 1024 bit key. Nothing out of the usual. And this exact key worked just fine in a default install of CF9. -- Jeff
-------- Original Message -------- > From: "Jon Clausen" <jon_clau...@silowebworks.com> > Sent: Thursday, July 25, 2013 3:29 PM > To: "cf-talk" <cf-talk@houseoffusion.com> > Subject: Re: issue with cfhttp and client certificates > > Long shot, but what is the key length on the encryption? Could it be an issue with the encryption capabilities currently set on the new JVM for CF10? > > Explanation: http://www.petefreitag.com/item/803.cfm > > > On Jul 25, 2013, at 4:44 PM, "Jeff Garza" <j...@garzasixpack.com> wrote: > > > > > Mark, > > > > On the CF9 Server we're at Java version 1.6.0_17 and the arguments from > > the CFAdmin look like the following: "-server -Dsun.io.useCanonCaches=false > > -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch > > -Dcoldfusion.rootDir={application.home}/../ > > -Dcoldfusion.libPath={application.home}/../lib > > -Dcoldfusion.spooltimeout=120". > > > > On the CF10 server it's at Java version 1.7.0_15 and the args are: > > "-server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch > > -Dcoldfusion.home={application.home} > > -Dcoldfusion.rootDir={application.home} > > -Dcoldfusion.libPath={application.home}/lib > > -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true > > -Dcoldfusion.jsafe.defaultalgo=FIPS186Random > > -Dcoldfusion.spooltimeout=120" > > > > Though, based on the error, I don't think this is a handshake issue. It > > looks like an issue where the JVM can't even open the certificate file to > > pass the public key on to the server. Which is why this is so strange that > > CF9 with the older JVM would be able to do it, but the new one can't. > > --Jeff > > > > -------- Original Message -------- > >> From: "Mark A Kruger" <mkru...@cfwebtools.com> > >> Sent: Thursday, July 25, 2013 1:25 PM > >> To: "cf-talk" <cf-talk@houseoffusion.com> > >> Subject: RE: issue with cfhttp and client certificates > >> > >> Jeff, > >> > >> What JVM version are you using on CF9 and what do the args look like? > >> Sometimes it's a matter of the handshake and levels of TLS/SSL - the > > error > >> may be not specific enough to tell. You can enable logging to get a grip > > on > >> it though. That would tell you more. > >> > >> -Mark > >> > >> > >> -----Original Message----- > >> From: Jeff Garza [mailto:j...@garzasixpack.com] > >> Sent: Thursday, July 25, 2013 12:25 PM > >> To: cf-talk > >> Subject: issue with cfhttp and client certificates > >> > >> > >> Ok, so here's the issue. A process that was working just fine on CF9 is > > > >> now broken on CF10. We have a service that we call that requires us to > >> submit a client certificate to the server. In CF9, this worked just > > fine. > >> Use the clientcert and clientcertpass attributes of CFHTTP and you're > > good > >> to go. It reads the .pfx file fine and everything runs... This is not a > > > >> cacerts issue as you do not have to have the key in the keystore to use > >> it. > >> Forward to CF10, the exact same code and certificates now gives the > > error: > >> > >> "Error while trying to get the SSL client certificate: > >> java.security.UnrecoverableKeyException: Could not decrypt key: Could not > > > >> decode key from BER. (Invalid encoding: expected tag not there. )." > >> It's like it's unable to open the .pfx certificate file. > >> I know this is a long shot since there are not many folks out there using > > > >> client certs, but has anyone else run across this issue? > >> Thanks, > >> Jeff Garza > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356324 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm