Russ, Would changing the sys property for unsafe renegotiation allow the JVM to proceed if this was this issue?
-Mark (I'm thinking of this arg -Dsun.security.ssl.allowUnsafeRenegotiation=true ) -----Original Message----- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Thursday, July 25, 2013 6:25 PM To: cf-talk Subject: Re: issue with cfhttp and client certificates it should be noted that the minimum requirement for certs now is 2048bit, it is not even possible to generate a cert with less than this with most CSA's, so perhaps this is the issue, maybe 1024 is not even supported by java now. On Thu, Jul 25, 2013 at 11:52 PM, Jeff Garza <j...@garzasixpack.com> wrote: > > The .pfx is a RSA 1024 bit key. Nothing out of the usual. And this exact > key worked just fine in a default install of CF9. > -- > Jeff > > -------- Original Message -------- > > From: "Jon Clausen" <jon_clau...@silowebworks.com> > > Sent: Thursday, July 25, 2013 3:29 PM > > To: "cf-talk" <cf-talk@houseoffusion.com> > > Subject: Re: issue with cfhttp and client certificates > > > > Long shot, but what is the key length on the encryption? Could it be an > issue with the encryption capabilities currently set on the new JVM for > CF10? > > > > Explanation: http://www.petefreitag.com/item/803.cfm > > > > > > On Jul 25, 2013, at 4:44 PM, "Jeff Garza" <j...@garzasixpack.com> wrote: > > > > > > > > Mark, > > > > > > On the CF9 Server we're at Java version 1.6.0_17 and the arguments > from > > > the CFAdmin look like the following: "-server > -Dsun.io.useCanonCaches=false > > > -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch > > > -Dcoldfusion.rootDir={application.home}/../ > > > -Dcoldfusion.libPath={application.home}/../lib > > > -Dcoldfusion.spooltimeout=120". > > > > > > On the CF10 server it's at Java version 1.7.0_15 and the args are: > > > "-server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch > > > -Dcoldfusion.home={application.home} > > > -Dcoldfusion.rootDir={application.home} > > > -Dcoldfusion.libPath={application.home}/lib > > > -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true > > > -Dcoldfusion.jsafe.defaultalgo=FIPS186Random > > > -Dcoldfusion.spooltimeout=120" > > > > > > Though, based on the error, I don't think this is a handshake issue. > It > > > looks like an issue where the JVM can't even open the certificate file > to > > > pass the public key on to the server. Which is why this is so strange > that > > > CF9 with the older JVM would be able to do it, but the new one can't. > > > --Jeff > > > > > > -------- Original Message -------- > > >> From: "Mark A Kruger" <mkru...@cfwebtools.com> > > >> Sent: Thursday, July 25, 2013 1:25 PM > > >> To: "cf-talk" <cf-talk@houseoffusion.com> > > >> Subject: RE: issue with cfhttp and client certificates > > >> > > >> Jeff, > > >> > > >> What JVM version are you using on CF9 and what do the args look like? > > >> Sometimes it's a matter of the handshake and levels of TLS/SSL - the > > > error > > >> may be not specific enough to tell. You can enable logging to get a > grip > > > on > > >> it though. That would tell you more. > > >> > > >> -Mark > > >> > > >> > > >> -----Original Message----- > > >> From: Jeff Garza [mailto:j...@garzasixpack.com] > > >> Sent: Thursday, July 25, 2013 12:25 PM > > >> To: cf-talk > > >> Subject: issue with cfhttp and client certificates > > >> > > >> > > >> Ok, so here's the issue. A process that was working just fine on CF9 > is > > > > > >> now broken on CF10. We have a service that we call that requires us > to > > >> submit a client certificate to the server. In CF9, this worked just > > > fine. > > >> Use the clientcert and clientcertpass attributes of CFHTTP and you're > > > good > > >> to go. It reads the .pfx file fine and everything runs... This is > not a > > > > > >> cacerts issue as you do not have to have the key in the keystore to > use > > >> it. > > >> Forward to CF10, the exact same code and certificates now gives the > > > error: > > >> > > >> "Error while trying to get the SSL client certificate: > > >> java.security.UnrecoverableKeyException: Could not decrypt key: Could > not > > > > > >> decode key from BER. (Invalid encoding: expected tag not there. )." > > >> It's like it's unable to open the .pfx certificate file. > > >> I know this is a long shot since there are not many folks out there > using > > > > > >> client certs, but has anyone else run across this issue? > > >> Thanks, > > >> Jeff Garza > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356326 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
