Re: ColdFusion 11 CFHTTP issue with HTTPS and proxy
This Ray Camden blog post may help: http://www.raymondcamden.com/2014/05/22/Important-note-about-ColdFusion-11-and-CFHTTP -- Larry C. Lyons Applications Architect US Department of the Interior Office of the Secretary Office of the Chief Information Officer -- Hi all, I'm working with Adobe support on this issue but I wanted to post it out to this group in case anyone has ideas on how to deal with this situation. We've got some internal only CF apps that live behind a web proxy on our network. In CF 9 we could make CFHTTP requests to external vendor sites over HTTPS, with the proxy attributes set correctly, everything worked great. Now we're in the process of moving to CF 11 and this no longer works (only with URLs that are accessed over HTTPS, like our payment processor, HTTP requests are fine). As a test I set up two CFHTTP calls using the same URL, one over HTTP and one over HTTPS. On CF 11 when I use the CFHTTP tag for the HTTP URL (with proxy settings and credentials) I get a 200 OK response and the page contents (perfect). When I try the exact same tag with the HTTPS URL, I get a 407 Proxy Authentication Required (boo). I've tried different JVMs, different platforms (Windows 7, Server 2012, Mac OS X) with no difference. What I discovered when I did a packet capture was that for the HTTP request (CF 9 or CF 11) I had a Proxy-Authorization header with the credentials Base64 encoded. For the HTTPS request, CF 9 has that same Proxy-Authorization header, but CF 11 does not. In fact there are quite a few request headers missing in the HTTP request for HTTPS in CF 11. I tried to manually add the header using the CFHTTPPARAM tag which did not seem to change anything. I've been working with support for about three weeks now and I'm not making any headway. I have confirmed for them that everything works in CF 9 (running on JRun) but not in either CF 10 or CF 11 (which is Tomcat based). So I'm wondering if there's a Tomcat problem, but since the shipped version of Tomcat is Adobe ColdFusion specific I'm hoping that the Adobe engineers can identify a solution. Has anyone run in to anything like this, and if so, how did you fix it? Thanks in advance, Lincoln Lincoln Milner Web Technical Lead Database Services Donegal Insurance Group lincolnmil...@donegalgroup.commailto:lincolnmil...@donegalgroup.com E-MAIL CONFIDENTIALITY NOTICE: This e-mail from Donegal Insurance Group may contain CONFIDENTIAL and legally protected information. If you are not an intended recipient, please do not copy, use or disclose this email or its contents to others; and please notify us by calling toll free (800) 877-0600 x7880 or by replying to this message, and then delete it from your system. Delivery of this email to an unintended recipient is not a waiver of any attorney-client or other applicable privilege. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360463 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sudden error with CFHTTP ans SSL
Payments were getting processed but the results confirmation didn't work. This is on Coldfusion 8. That was exactly the problem, on CF 9 also. the certificate needed is the Verisign G5 certificate In my case, the certificate I got from the Paypal site was a Symantec certificate. That is probably the problem: Paypal must have moved from Verisign to Symantec, which is logical since both Paypal ans Symantec are owned by eBay. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360368 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sudden error with CFHTTP ans SSL
Verisign certificate products have been taken over by Symantec. 2015-04-03 18:54 GMT+02:00 : Payments were getting processed but the results confirmation didn't work. This is on Coldfusion 8. That was exactly the problem, on CF 9 also. the certificate needed is the Verisign G5 certificate In my case, the certificate I got from the Paypal site was a Symantec certificate. That is probably the problem: Paypal must have moved from Verisign to Symantec, which is logical since both Paypal ans Symantec are owned by eBay. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360369 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sudden error with CFHTTP ans SSL
When I read these messages, I checked one of my old websites that uses paypal integration services and found that it stopped working. Payments were getting processed but the results confirmation didn't work. This is on Coldfusion 8. Thanks to this thread I found the problem and fixed it.. but just to make it faster for others... the certificate needed is the Verisign G5 certificate which you can get at https://knowledge.verisign.com/support/mpki-for-ssl-support/index?page=contentactp=CROSSLINKid=SO5624 To see if you have it installed - and to install it if you don't, use: https://github.com/webdevsourcerer/CF-CertMan and install the version for your coldfusion version. After installing, you need to restart the cold fusion service. For those that like details, the paypal notice is at https://ppmts.custhelp.com/ci/fattach/get/471495/1425083092/redirect/1/filename/2015%20Merchant%20Security%20System%20Upgrade%20Guide%20(U.S.%20English).pdf Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360367 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sudden error with CFHTTP ans SSL
So then is the symantec certificate newer? Should I also add that? What is the link to it? They have so many certificates on paypal Verisign certificate products have been taken over by Symantec. 2015-04-03 18:54 GMT+02:00 : Payments were getting processed but the results confirmation didn't work. This is on Coldfusion 8. That was exactly the problem, on CF 9 also. the certificate needed is the Verisign G5 certificate In my case, the certificate I got from the Paypal site was a Symantec certificate. That is probably the problem: Paypal must have moved from Verisign to Symantec, which is logical since both Paypal ans Symantec are owned by eBay. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360371 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sudden error with CFHTTP ans SSL
Best option is to contact PayPal support with that question. They should be able to point you to the valid certs. Good luck, Michael On Friday, April 3, 2015, Al Musella, DPM muse...@virtualtrials.com wrote: So then is the symantec certificate newer? Should I also add that? What is the link to it? They have so many certificates on paypal Verisign certificate products have been taken over by Symantec. 2015-04-03 18:54 GMT+02:00 : Payments were getting processed but the results confirmation didn't work. This is on Coldfusion 8. That was exactly the problem, on CF 9 also. the certificate needed is the Verisign G5 certificate In my case, the certificate I got from the Paypal site was a Symantec certificate. That is probably the problem: Paypal must have moved from Verisign to Symantec, which is logical since both Paypal ans Symantec are owned by eBay. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360372 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sudden error with CFHTTP ans SSL
Paypal support is useless. I contacted them 3 times for another issue last week and they couldn't help at all At 04:11 PM 4/3/2015, you wrote: Best option is to contact PayPal support with that question. They should be able to point you to the valid certs. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360373 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sudden error with CFHTTP ans SSL
you need to import the certificate to the java cacerts as a trusted certificate to by-pass the security matching. That was the trick. I imported the Paypal certificate and now it works. Thanks a lot. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360349 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sudden error with CFHTTP and SSL
This sounds like it could be the Poodle vulnerability that I faced a few months back when Chase Paymentech disabled SSL 3.0. What version of Java is the server running? Java 7 allows SSL 3.0 to negotiate using TLS. I had to convince my host to update from Java 6. On Mon, Mar 30, 2015 at 1:33 PM, wrote: Hi, I have an application under CF 9 with a paiment module using Paypal. At the end of the process, Paypal acknowledges the paiement and my app calls a Paypal page to validate the whole operation. This is done with a CFHTTP call This application has been working fine for years with no modification, bur all of a sudden starting March 23rd, I get this error: I/O Exception: peer not authenticated It appears to be an error with the SSL certificate, but how come ? The Paypal site is verified by Verisign. What ca I do? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360340 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Sudden error with CFHTTP and SSL
Try taking the restricted ip addresses out of your paypal account - we ran into this as well and after 2 days of battling it, this did fix the issue for us Sincerely, Kurt Kaptein President Spectrum Net Designs, Inc PO Box 806 Grandville, MI 49468 Ph: 616-538-2914 Toll Free: 866-773-2638 Fax: 616-538-5691 Visit our Website: www.spectrumnetdesigns.com Email: k...@spectrumnetdesigns.com -Original Message- From: Michael Grant [mailto:mgr...@modus.bz] Sent: Wednesday, April 1, 2015 3:29 PM To: cf-talk Subject: Re: Sudden error with CFHTTP and SSL This sounds like it could be the Poodle vulnerability that I faced a few months back when Chase Paymentech disabled SSL 3.0. What version of Java is the server running? Java 7 allows SSL 3.0 to negotiate using TLS. I had to convince my host to update from Java 6. On Mon, Mar 30, 2015 at 1:33 PM, wrote: Hi, I have an application under CF 9 with a paiment module using Paypal. At the end of the process, Paypal acknowledges the paiement and my app calls a Paypal page to validate the whole operation. This is done with a CFHTTP call This application has been working fine for years with no modification, bur all of a sudden starting March 23rd, I get this error: I/O Exception: peer not authenticated It appears to be an error with the SSL certificate, but how come ? The Paypal site is verified by Verisign. What ca I do? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360342 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sudden error with CFHTTP and SSL
I suspect they disabled various ssl protocols due to poodle, you should ask them. The default response ro poodle was to disable everything except latest tls version, which is not supported out of the box by the jvm that ships with cf9. On Mon, Mar 30, 2015 at 18:33 PM, wrote: Hi, I have an application under CF 9 with a paiment module using Paypal. At the end of the process, Paypal acknowledges the paiement and my app calls a Paypal page to validate the whole operation. This is done with a CFHTTP call This application has been working fine for years with no modification, bur all of a sudden starting March 23rd, I get this error: I/O Exception: peer not authenticated It appears to be an error with the SSL certificate, but how come ? The Paypal site is verified by Verisign. What ca I do? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360346 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sudden error with CFHTTP and SSL
If they have disable the older SSL protocols here are two blog posts I did on how to handle that with CFHTTP and your Java version. Java Version http://www.trunkful.com/index.cfm/2014/11/24/ColdFusion-JVM-SSL-CA-CERTS-and-POODLE CFHTTP and JVM switches http://www.trunkful.com/index.cfm/2014/12/8/Preventing-SSLv3-Fallback-in-ColdFusion If they have disabled TLSv1.0 then we could have bigger troubles. Regards, Wil Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Apr 1, 2015, at 5:41 PM, Russ Michaels r...@michaels.me.uk wrote: I suspect they disabled various ssl protocols due to poodle, you should ask them. The default response ro poodle was to disable everything except latest tls version, which is not supported out of the box by the jvm that ships with cf9. On Mon, Mar 30, 2015 at 18:33 PM, wrote: Hi, I have an application under CF 9 with a paiment module using Paypal. At the end of the process, Paypal acknowledges the paiement and my app calls a Paypal page to validate the whole operation. This is done with a CFHTTP call This application has been working fine for years with no modification, bur all of a sudden starting March 23rd, I get this error: I/O Exception: peer not authenticated It appears to be an error with the SSL certificate, but how come ? The Paypal site is verified by Verisign. What ca I do? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360347 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sudden error with CFHTTP ans SSL
What is the URL and does the domain name match the certificate exactly, meaning not a wildcard certificate. Could be PayPal updated their SSL certificate and is either a wildcard certificate or multi-site/domain certificate (not sure what these are really called). CF will not like it if the domain is www.domain.com, but the certificate is *.domain.com. In this case, you need to import the certificate to the java cacerts as a trusted certificate to by-pass the security matching. You can either do this from the command line, or by far the easier route is this extension to CF admin. http://certman.riaforge.org/ https://www.google.com/webhp?sourceid=chrome-instantion=1espv=2ie=UTF-8#q=import+ssl+certificate+coldfusion+9+to+cacerts ~Byron On Mon, Mar 30, 2015 at 12:34 PM, wrote: Hi, I have an application under CF 9 with a paiment module using Paypal. At the end of the process, Paypal acknowledges the paiement and my app calls a Paypal page to validate the whole operation. This is done with a CFHTTP call This application has been working fine for years with no modification, bur all of a sudden starting March 23rd, I get this error: I/O Exception: peer not authenticated It appears to be an error with the SSL certificate, but how come ? The Paypal site is verified by Verisign. What ca I do? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360319 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Sudden error with CFHTTP and SSL
Hi, I have an application under CF 9 with a paiment module using Paypal. At the end of the process, Paypal acknowledges the paiement and my app calls a Paypal page to validate the whole operation. This is done with a CFHTTP call This application has been working fine for years with no modification, bur all of a sudden starting March 23rd, I get this error: I/O Exception: peer not authenticated It appears to be an error with the SSL certificate, but how come ? The Paypal site is verified by Verisign. What ca I do? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360320 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Sudden error with CFHTTP ans SSL
Hi, I have an application under CF 9 with a paiment module using Paypal. At the end of the process, Paypal acknowledges the paiement and my app calls a Paypal page to validate the whole operation. This is done with a CFHTTP call This application has been working fine for years with no modification, bur all of a sudden starting March 23rd, I get this error: I/O Exception: peer not authenticated It appears to be an error with the SSL certificate, but how come ? The Paypal site is verified by Verisign. What ca I do? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360318 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sudden error with CFHTTP ans SSL
Could be PayPal updated their SSL It must be the problem, because I have other paiement services and they have no problem. I'm trying your suggestion, thanks. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360328 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sudden error with CFHTTP ans SSL
I also once solved this by editing the hosts file on the server and adding lines to force the name on the cert to point to the right IP. On Tue, Mar 31, 2015 at 8:51 AM, Byron Mann byronos...@gmail.com wrote: What is the URL and does the domain name match the certificate exactly, meaning not a wildcard certificate. Could be PayPal updated their SSL certificate and is either a wildcard certificate or multi-site/domain certificate (not sure what these are really called). CF will not like it if the domain is www.domain.com, but the certificate is *.domain.com. In this case, you need to import the certificate to the java cacerts as a trusted certificate to by-pass the security matching. You can either do this from the command line, or by far the easier route is this extension to CF admin. http://certman.riaforge.org/ https://www.google.com/webhp?sourceid=chrome-instantion=1espv=2ie=UTF-8#q=import+ssl+certificate+coldfusion+9+to+cacerts ~Byron On Mon, Mar 30, 2015 at 12:34 PM, wrote: Hi, I have an application under CF 9 with a paiment module using Paypal. At the end of the process, Paypal acknowledges the paiement and my app calls a Paypal page to validate the whole operation. This is done with a CFHTTP call This application has been working fine for years with no modification, bur all of a sudden starting March 23rd, I get this error: I/O Exception: peer not authenticated It appears to be an error with the SSL certificate, but how come ? The Paypal site is verified by Verisign. What ca I do? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360321 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Threaded cfhttp example
Here try this. I snipped it out of something I use to build static pages with CFHTTP. It builds thousands of them based on query output. I wanted it to run multiple threads at once but not so many it fried CF. So the code keeps track of how many threads are running and limits their number to a value you specify. variables.threadcount sets the number of threads to allow to run concurrently. For your routine you could have the urls you want to canvas in a db, query them as seen below and then reference the query output's current row in the loop via the loopCounter variable as shown. cfscript variables.threadArray=arrayNew(1); variables.threadCount=3; /cfscript cfquery name=getData datasource=#server.DSN# username=#server.userName# password=#server.password# SELECT fileName.primaryKey FROM fileName WHERE 0=0 ORDER BY fileName.primaryKey ASC /cfquery cfset variables.loopCounter=0 cfloop condition=variables.loopCounter LT getData.recordCount !--- count the threads that are currently live --- cfset variables.threadsLive=arrayLen(variables.threadArray) !--- Do we have an available thread? --- cfif variables.threadsLive lt variables.threadCount !--- A thread is available. Increment the loopCounter and give it a name --- cfset variables.loopCounter=variables.loopCounter+1 cfset variables.thisThreadID=createUUID() cfset temp=arrayAppend(variables.threadArray,variables.thisThreadID) !--- create the thread whose name we specified and have reserved --- cfthread name=#variables.thisThreadID# action=run !--- CF Code to be run inside the thread goes here. This next cfset is just a dummy --- cfset variables.foo=getdata.ID[variables.loopCounter] !--- remove the now-completed thread from the live list --- cfset temp=arrayDeleteAt(variables.threadArray,arrayFindNoCase(variables.threadArray,variables.thisThreadID)) /cfthread /cfif /cfloop -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360142 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Threaded cfhttp example
Hello Experts! I have been trying to create a multi-threaded cfhttp request script, but I have so far failed miserably. I want to run 10 concurrent threads that call URLS using cfhttp and I want to store the results (basically cfhttp.filecontent) in an array or a similar structure that I can loop once all threads have finished. Can someone provide me with a working example of this? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360120 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Threaded cfhttp example
This should get you started. The cfthread join waits the specific timeout for the threads in the name list to finish. If not all threads are complete, things continue on, so you may want to perform checks against the threads returned in cfthread to ensure the values exists, etc. cfthread action=run aUrl=http://www.google.com; name=t1 cfhttp method=get url=#aUrl# timeout='10' / cfset thread.rtn = cfhttp.fileContent.length() /cfthread cfthread action=run aUrl=http://www.google.com; name=t2 cfhttp method=get url=#aUrl# timeout='10' / cfset thread.rtn = cfhttp.fileContent.length() /cfthread cfthread action='join' name='t1,t2' timeout='5000'/cfthread cfdump var=#cfthread# Byron On Mon, Feb 16, 2015 at 7:57 AM, Michael Christensen m...@travelmarket.com wrote: Hello Experts! I have been trying to create a multi-threaded cfhttp request script, but I have so far failed miserably. I want to run 10 concurrent threads that call URLS using cfhttp and I want to store the results (basically cfhttp.filecontent) in an array or a similar structure that I can loop once all threads have finished. Can someone provide me with a working example of this? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360121 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: XMLRPC Request with CFHTTP
Thanks for the quick response. I don't believe this is helpful. I have the correct XML to send and it has been confirmed. The issue is with the web service interpreting my request and processing the XML. I believe the issue is in the header that CFHTTP creates. Actually, take a look at the code sample included at the link (not the CFC itself). There's the answer to your question. Also, honestly, a good book about HTTP would be useful here. There's a really good O'Reilly pocket guide to HTTP that would help you out. This isn't intended as a personal criticism - I think every CF developer would benefit from rereading this (including me). But understanding how HTTP works is fundamental to web programming, especially today with all the AJAX etc stuff going on. In the first line of your HTTP request, there's always something like this: [VERB] [RELATIVE URL FROM SERVER ROOT] [PROTOCOL] For example, when your browser requests the page http://training.figleaf.com/courses/acfd9.cfm, the first line of its request will look like this: GET /courses/acfd9.cfm HTTP/1.1 In your case, you want to send an XMLRPC request, so you have to POST to http://yourserver.com/XMLRPC. I don't think it will matter whether you specify HTTP/1.1 or HTTP/1.0. It shouldn't matter, anyway - that just tells the server what version of HTTP the client supports. I'm also not sure if there's a way to specify HTTP/1.0 support with CFHTTP. I suspect there is, but I don't know what it is offhand because again it generally doesn't matter. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359473 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: XMLRPC Request with CFHTTP
Thanks for the quick response. I don't believe this is helpful. I have the correct XML to send and it has been confirmed. The issue is with the web service interpreting my request and processing the XML. I believe the issue is in the header that CFHTTP creates. Actually, take a look at the code sample included at the link (not the CFC itself). There's the answer to your question. Also, honestly, a good book about HTTP would be useful here. There's a really good O'Reilly pocket guide to HTTP that would help you out. This isn't intended as a personal criticism - I think every CF developer would benefit from rereading this (including me). But understanding how HTTP works is fundamental to web programming, especially today with all the AJAX etc stuff going on. In the first line of your HTTP request, there's always something like this: [VERB] [RELATIVE URL FROM SERVER ROOT] [PROTOCOL] For example, when your browser requests the page http://training.figleaf.com/courses/acfd9.cfm, the first line of its request will look like this: GET /courses/acfd9.cfm HTTP/1.1 In your case, you want to send an XMLRPC request, so you have to POST to http://yourserver.com/XMLRPC. I don't think it will matter whether you specify HTTP/1.1 or HTTP/1.0. It shouldn't matter, anyway - that just tells the server what version of HTTP the client supports. I'm also not sure if there's a way to specify HTTP/1.0 support with CFHTTP. I suspect there is, but I don't know what it is offhand because again it generally doesn't matter. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359474 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: XMLRPC Request with CFHTTP
Hi Dave, Thanks for the response. I did add the /XMLRPC to the url in cfhttp and that did the trick. Donnie Carvajal Thanks for the quick response. I don't believe this is helpful. I have the correct XML to send and it has been confirmed. The issue is with the web service interpreting my request and processing the XML. I believe the issue is in the header that CFHTTP creates. Actually, take a look at the code sample included at the link (not the CFC itself). There's the answer to your question. Also, honestly, a good book about HTTP would be useful here. There's a really good O'Reilly pocket guide to HTTP that would help you out. This isn't intended as a personal criticism - I think every CF developer would benefit from rereading this (including me). But understanding how HTTP works is fundamental to web programming, especially today with all the AJAX etc stuff going on. In the first line of your HTTP request, there's always something like this: [VERB] [RELATIVE URL FROM SERVER ROOT] [PROTOCOL] For example, when your browser requests the page http://training.figleaf.com/courses/acfd9.cfm, the first line of its request will look like this: GET /courses/acfd9.cfm HTTP/1.1 In your case, you want to send an XMLRPC request, so you have to POST to http://yourserver.com/XMLRPC. I don't think it will matter whether you specify HTTP/1.1 or HTTP/1.0. It shouldn't matter, anyway - that just tells the server what version of HTTP the client supports. I'm also not sure if there's a way to specify HTTP/1.0 support with CFHTTP. I suspect there is, but I don't know what it is offhand because again it generally doesn't matter. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359475 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP Raw Request
Hi Steve, Thanks for the suggestion. I've never used Fiddler before. Are there any special configurations to watch a cfhttp request? Thanks, Donnie Carvajal If you are doing this on a developer machine, install fiddler. Then you can watch everything the request and response and look at the raw outputs. It has saved me multiple times from pulling my hair out. Steve -Original Message- From: Donnie Carvajal [mailto:donnie.carva...@transformyx.com] Sent: Wednesday, October 08, 2014 12:17 PM To: cf-talk Subject: CFHTTP Raw Request I have a process that is sending xml via cfhttp and I am not getting the anticipated response from the web service. I would like to see the actual headers and the body of the request. Does anyone know if there is a way to track the raw request that is created by a cfhttp post? Thanks, Donnie Carvajal ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359462 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: CFHTTP Raw Request
It's just a program that when run will sit between the browser and the world outside the computer (internet, intranet, etc). It displays what is going in and out. It's an easy install and adds piece to IE/Chrome/Firefox as well as installing the App. You just run it and use your web browser. If you are working with HTTPS/SSL/TLS then there is a way to set it up to track that data as well (Technically a man in the middle, but you are doing it to yourself so it's ok). Steve -Original Message- From: Donnie Carvajal [mailto:donnie.carva...@transformyx.com] Sent: Tuesday, October 14, 2014 11:21 AM To: cf-talk Subject: Re: CFHTTP Raw Request Hi Steve, Thanks for the suggestion. I've never used Fiddler before. Are there any special configurations to watch a cfhttp request? Thanks, Donnie Carvajal ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359463 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP Raw Request
I think I may be confused. I need to see the raw headers that CFHTTP is creating. I installed Fiddler on the development and ran it. When I call the CF page that includes the CFHTTP, I am not seeing any new requests in Fiddler. I'm not sure how a browser would show me CFHTTP headers that are created. Am I missing something? Thanks, Donnie Carvajal It's just a program that when run will sit between the browser and the world outside the computer (internet, intranet, etc). It displays what is going in and out. It's an easy install and adds piece to IE/Chrome/Firefox as well as installing the App. You just run it and use your web browser. If you are working with HTTPS/SSL/TLS then there is a way to set it up to track that data as well (Technically a man in the middle, but you are doing it to yourself so it's ok). Steve -Original Message- From: Donnie Carvajal [mailto:donnie.carva...@transformyx.com] Sent: Tuesday, October 14, 2014 11:21 AM To: cf-talk Subject: Re: CFHTTP Raw Request Hi Steve, Thanks for the suggestion. I've never used Fiddler before. Are there any special configurations to watch a cfhttp request? Thanks, Donnie Carvajal ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359465 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: CFHTTP Raw Request
Donnie, you will need a sniffer on the server to see any HTTP request from CF. If you are doing local development (where cf is installed on your laptop or desktop) then that's where your proxy/sniffer needs to live. CFHTTP is technically not a browser request - just a straight HTTP request using tcp. I use wireshark for this - fiddler is more of a browser plugin - or at least, it proxys it's data to a browser. I suspect it could work for cfhttp request -just not positive as I've never tried it. Steve's suggestion is a good one and fiddler (or Charles) is a great addition to your toolkit but it may not work in this specific instance. Sorry to redirect your efforts :) -Mark Mark Kruger - CFG CF Webtools www.cfwebtools.com www.coldfusionmuse.com O: 402.932.3318 E: mkru...@cfwebtools.com Skype: markakruger -Original Message- From: Donnie Carvajal [mailto:donnie.carva...@transformyx.com] Sent: Tuesday, October 14, 2014 11:53 AM To: cf-talk Subject: Re: CFHTTP Raw Request I think I may be confused. I need to see the raw headers that CFHTTP is creating. I installed Fiddler on the development and ran it. When I call the CF page that includes the CFHTTP, I am not seeing any new requests in Fiddler. I'm not sure how a browser would show me CFHTTP headers that are created. Am I missing something? Thanks, Donnie Carvajal It's just a program that when run will sit between the browser and the world outside the computer (internet, intranet, etc). It displays what is going in and out. It's an easy install and adds piece to IE/Chrome/Firefox as well as installing the App. You just run it and use your web browser. If you are working with HTTPS/SSL/TLS then there is a way to set it up to track that data as well (Technically a man in the middle, but you are doing it to yourself so it's ok). Steve -Original Message- From: Donnie Carvajal [mailto:donnie.carva...@transformyx.com] Sent: Tuesday, October 14, 2014 11:21 AM To: cf-talk Subject: Re: CFHTTP Raw Request Hi Steve, Thanks for the suggestion. I've never used Fiddler before. Are there any special configurations to watch a cfhttp request? Thanks, Donnie Carvajal ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359466 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP Raw Request
you will need a sniffer on the server to see any HTTP request from CF. If you are doing local development (where cf is installed on your laptop or desktop) then that's where your proxy/sniffer needs to live. CFHTTP is technically not a browser request - just a straight HTTP request using tcp. I use wireshark for this - fiddler is more of a browser plugin - or at least, it proxys it's data to a browser. I suspect it could work for cfhttp request -just not positive as I've never tried it. Steve's suggestion is a good one and fiddler (or Charles) is a great addition to your toolkit but it may not work in this specific instance. Sorry to redirect your efforts :) Fiddler is more than a browser plugin. It's a proxy server, and can in fact capture all outbound HTTP requests from your machine, regardless of what they come from. I prefer Fiddler to Wireshark for this because it's purely focused on HTTP/HTTPS and a lot easier to read. However, you have to configure clients to use it as a proxy. With CF, you can do this at the JVM level, or you can change your CFHTTP code to use a specific proxy server. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359467 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: CFHTTP Raw Request
Ah... so you would have to use the proxy/port attributes of the cfhttp tag. I see how that would work. On the plugin install it sets that up for you with the browser. Good to know. -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Tuesday, October 14, 2014 12:11 PM To: cf-talk Subject: Re: CFHTTP Raw Request you will need a sniffer on the server to see any HTTP request from CF. If you are doing local development (where cf is installed on your laptop or desktop) then that's where your proxy/sniffer needs to live. CFHTTP is technically not a browser request - just a straight HTTP request using tcp. I use wireshark for this - fiddler is more of a browser plugin - or at least, it proxys it's data to a browser. I suspect it could work for cfhttp request -just not positive as I've never tried it. Steve's suggestion is a good one and fiddler (or Charles) is a great addition to your toolkit but it may not work in this specific instance. Sorry to redirect your efforts :) Fiddler is more than a browser plugin. It's a proxy server, and can in fact capture all outbound HTTP requests from your machine, regardless of what they come from. I prefer Fiddler to Wireshark for this because it's purely focused on HTTP/HTTPS and a lot easier to read. However, you have to configure clients to use it as a proxy. With CF, you can do this at the JVM level, or you can change your CFHTTP code to use a specific proxy server. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359468 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: CFHTTP Raw Request
CF has to be running on your local machine to see it. If you are doing it on a development server then you have to install fiddler on the dev server and run the browser from there. Steve -Original Message- From: Donnie Carvajal [mailto:donnie.carva...@transformyx.com] Sent: Tuesday, October 14, 2014 12:53 PM To: cf-talk Subject: Re: CFHTTP Raw Request I think I may be confused. I need to see the raw headers that CFHTTP is creating. I installed Fiddler on the development and ran it. When I call the CF page that includes the CFHTTP, I am not seeing any new requests in Fiddler. I'm not sure how a browser would show me CFHTTP headers that are created. Am I missing something? Thanks, Donnie Carvajal It's just a program that when run will sit between the browser and the world outside the computer (internet, intranet, etc). It displays what is going in and out. It's an easy install and adds piece to IE/Chrome/Firefox as well as installing the App. You just run it and use your web browser. If you are working with HTTPS/SSL/TLS then there is a way to set it up to track that data as well (Technically a man in the middle, but you are doing it to yourself so it's ok). Steve -Original Message- From: Donnie Carvajal [mailto:donnie.carva...@transformyx.com] Sent: Tuesday, October 14, 2014 11:21 AM To: cf-talk Subject: Re: CFHTTP Raw Request Hi Steve, Thanks for the suggestion. I've never used Fiddler before. Are there any special configurations to watch a cfhttp request? Thanks, Donnie Carvajal ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359469 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
XMLRPC Request with CFHTTP
I'm having an issue with a XMLRPC webservice using CFHTTP. I am getting text/html responses instead of xml. A successful non-CFHTTP request's raw header are sends as POST /XMLRPC HTTP/1.0. The CFHTTP request's header sends as POST / HTTP/1.1. I believe the issue is the missing /XMLRPC. Does anyone know how to get CFHTTP to include this in the POST request? Thanks, Donnie Carvajal ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359470 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: XMLRPC Request with CFHTTP
Helpful...? http://www.houseoffusion.com/groups/xml/thread.cfm/threadid:108 On Tue, Oct 14, 2014 at 4:08 PM, Donnie Carvajal donnie.carva...@transformyx.com wrote: I'm having an issue with a XMLRPC webservice using CFHTTP. I am getting text/html responses instead of xml. A successful non-CFHTTP request's raw header are sends as POST /XMLRPC HTTP/1.0. The CFHTTP request's header sends as POST / HTTP/1.1. I believe the issue is the missing /XMLRPC. Does anyone know how to get CFHTTP to include this in the POST request? Thanks, Donnie Carvajal ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359471 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: XMLRPC Request with CFHTTP
Hi John, Thanks for the quick response. I don't believe this is helpful. I have the correct XML to send and it has been confirmed. The issue is with the web service interpreting my request and processing the XML. I believe the issue is in the header that CFHTTP creates. Donnie Carvajal Helpful...? http://www.houseoffusion.com/groups/xml/thread.cfm/threadid:108 On Tue, Oct 14, 2014 at 4:08 PM, Donnie Carvajal donnie.carva...@transformyx.com wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359472 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CFHTTP Raw Request
I have a process that is sending xml via cfhttp and I am not getting the anticipated response from the web service. I would like to see the actual headers and the body of the request. Does anyone know if there is a way to track the raw request that is created by a cfhttp post? Thanks, Donnie Carvajal ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359412 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: CFHTTP Raw Request
If you are doing this on a developer machine, install fiddler. Then you can watch everything the request and response and look at the raw outputs. It has saved me multiple times from pulling my hair out. Steve -Original Message- From: Donnie Carvajal [mailto:donnie.carva...@transformyx.com] Sent: Wednesday, October 08, 2014 12:17 PM To: cf-talk Subject: CFHTTP Raw Request I have a process that is sending xml via cfhttp and I am not getting the anticipated response from the web service. I would like to see the actual headers and the body of the request. Does anyone know if there is a way to track the raw request that is created by a cfhttp post? Thanks, Donnie Carvajal ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359413 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP Raw Request
Try the getpagecontext or getmetadata functions. On Wed, Oct 8, 2014 at 17:17 PM, Donnie Carvajal donnie.carva...@transformyx.com wrote: I have a process that is sending xml via cfhttp and I am not getting the anticipated response from the web service. I would like to see the actual headers and the body of the request. Does anyone know if there is a way to track the raw request that is created by a cfhttp post? Thanks, Donnie Carvajal ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359415 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CFHTTP Host Header Issue
Hi All, I have a project that requires me to connect to a web server that requires a request header host value that is different from the URL of the request. For example... cfhttp url=http//www.domain1.com method=post chttpparam type=header name=Host value=www.domain2.com ... /cfhttpparam Does anyone know if cfhttp can send a separate Host in the header from the cfhttp url attribute? Thanks, Donnie Carvajal ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359410 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP Host Header Issue
this would be spoofing and is very easy to do. Whether or not you can do it via cfhttp I do not know, if not then try adding a cfheader as well. You should certainly be able to do it from the web server, I know on IIS you can use the URL rewrite tool to change OUTGOING requests as well as incoming. However the more legitimate way to do it, would be to simply add your other domain as an alias to the site, and use that to access the page, so it is a legitimate request. The domain name the request comes from should be the one sent in the host header. On Tue, Oct 7, 2014 at 5:25 PM, Donnie Carvajal donnie.carva...@transformyx.com wrote: Hi All, I have a project that requires me to connect to a web server that requires a request header host value that is different from the URL of the request. For example... cfhttp url=http//www.domain1.com method=post chttpparam type=header name=Host value=www.domain2.com ... /cfhttpparam Does anyone know if cfhttp can send a separate Host in the header from the cfhttp url attribute? Thanks, Donnie Carvajal ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359411 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CFHTTP connection failure
Here's a weird one, trying to set up a secure SFTP connection. We can telnet to it and connect via an ftp client. But cfftp gets refused. Any ideas? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359288 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP connection failure
A few questions... first can you show us some code? Second, are you sure it is SFTP and not FTPS? What happens if you try to use an SSH client like Putty? Are you able to connect? The SFTP server should be listening on port 22 - your telnet connection uses port 23 and your ftp connection uses port 21 so they are not really helping you diagnose your SFTP problem. By attempting an SSH connection with Putty you can determine your target is listening on port 22. Dont forget to tell cfftp to use port 22 and secure = true. Steve On Thu, Sep 11, 2014 at 3:05 PM, Scott Stewart webmas...@sstwebworks.com wrote: Here's a weird one, trying to set up a secure SFTP connection. We can telnet to it and connect via an ftp client. But cfftp gets refused. Any ideas? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359289 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP connection failure
This is specific to our production environment, the exact same code works fine in our staging environment.. But a putty connection may be worth a shot. We did have to install the Java JCE extensions. But again it works in every other environment but production. On Sep 11, 2014 3:20 PM, Steve Milburn scmilb...@gmail.com wrote: A few questions... first can you show us some code? Second, are you sure it is SFTP and not FTPS? What happens if you try to use an SSH client like Putty? Are you able to connect? The SFTP server should be listening on port 22 - your telnet connection uses port 23 and your ftp connection uses port 21 so they are not really helping you diagnose your SFTP problem. By attempting an SSH connection with Putty you can determine your target is listening on port 22. Dont forget to tell cfftp to use port 22 and secure = true. Steve On Thu, Sep 11, 2014 at 3:05 PM, Scott Stewart webmas...@sstwebworks.com wrote: Here's a weird one, trying to set up a secure SFTP connection. We can telnet to it and connect via an ftp client. But cfftp gets refused. Any ideas? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359290 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP connection failure
We got this figured out.. Our apps need to be refreshed when changes are made to the settings ini file. Our production team didn't refresh.. DOH!! On Sep 11, 2014 3:30 PM, Scott Stewart webmas...@sstwebworks.com wrote: This is specific to our production environment, the exact same code works fine in our staging environment.. But a putty connection may be worth a shot. We did have to install the Java JCE extensions. But again it works in every other environment but production. On Sep 11, 2014 3:20 PM, Steve Milburn scmilb...@gmail.com wrote: A few questions... first can you show us some code? Second, are you sure it is SFTP and not FTPS? What happens if you try to use an SSH client like Putty? Are you able to connect? The SFTP server should be listening on port 22 - your telnet connection uses port 23 and your ftp connection uses port 21 so they are not really helping you diagnose your SFTP problem. By attempting an SSH connection with Putty you can determine your target is listening on port 22. Dont forget to tell cfftp to use port 22 and secure = true. Steve On Thu, Sep 11, 2014 at 3:05 PM, Scott Stewart webmas...@sstwebworks.com wrote: Here's a weird one, trying to set up a secure SFTP connection. We can telnet to it and connect via an ftp client. But cfftp gets refused. Any ideas? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359291 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CFHTTP charset issue
We're using CFHTTP to query a java service. The system basically takes a piece of text and posts it via CFHTTP to a custom service written in Java. The problem is occuring because CF doesn't seem to be setting the character encoding correctly. Consequently special characters like smart quotes are becoming garbled. My cfhttp code is very simple: cfhttp method=post url= http://localhost/?userid=#session.user.id#type=ExtractClean; port=#application.SemxPort# charset=utf-8 cfhttpparam type=body value=#params.cleantext# cfhttpparam type=header name=content-type value=text/html /cfhttp On the java side, our dev is using getCharacterEncoding() to return the character encoding of the request, but it's coming back with null which according to the docs means: the request does not specify a character encoding But I'm specifically setting the charset as utf-8 :( What am I missing here? Has anyone seen similar behaviour with CFHTTP and if so how did you resolve it? Or it's possible that I'm doing something wrong with my CFHTTP tag but the code is so simple it seems unlikely. If anyone has any ideas I would be most grateful for your insight :) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358593 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP charset issue
On 5/9/2014 4:13 PM, Edward Chanter wrote: What am I missing here? if that java bit is relying on getCharacterEncoding(), i think it gets the charset from Content-Type (not exactly sure why cfhttp charset param's not setting that). so maybe try setting it via Content-Type too. cfhttpparam type=header name=content-type value=text/html;charset=utf-8 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358595 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP charset issue
Paul, thank you so much, your suggestion sorted my problem out. You just saved a bunch of people a load of time :) On 9 May 2014 14:52, Paul Hastings p...@sustainablegis.com wrote: On 5/9/2014 4:13 PM, Edward Chanter wrote: What am I missing here? if that java bit is relying on getCharacterEncoding(), i think it gets the charset from Content-Type (not exactly sure why cfhttp charset param's not setting that). so maybe try setting it via Content-Type too. cfhttpparam type=header name=content-type value=text/html;charset=utf-8 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358599 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: CFHTTP SSL Cert
It continues to work fine in the browser. Its pretty weird how it will work for a day and then start generating this error: AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException faultSubcode: faultString: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate secret faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate secret at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1692) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.jav a:1675) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java :1204) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java :1181) at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.ja va:186) at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender ''/pre Note, this is the error from a webservice call, using CFHTTP generates the I/O Exception: peer not authenticated. Restarting the CFService resolves the problem temporarily. I deleted and re-added the CERT to the cacerts store yesterday with no change... Just weird right? Brook -Original Message- From: John M Bliss [mailto:bliss.j...@gmail.com] Sent: April-16-14 11:02 AM To: cf-talk Subject: Re: CFHTTP SSL Cert When cfhttp is broken, can you drop the URL into your browser and have it work? Or is it broken there too? On Wed, Apr 16, 2014 at 12:27 PM, Brook Davies cft...@logiforms.com wrote: Hey Peeps, After heartbleed, I had to re-add the EchoSign Cert to our keystore (via the keytool) on all our servers. It worked as expected, and the connection started working again. However, on one our webservers, it works, and then later that day stops being able to connect and I get I/O Exception: peer not authenticated when I try to CFHTTP to the HTTPS address. If I restart the server, it works again, and then stops working again later in the day. What the heck could cause that? My other webservers work without an issue. But this one seems to keep failing. The cert IS in the keystore... Any ideas? Brook ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358343 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CFHTTP SSL Cert
Hey Peeps, After heartbleed, I had to re-add the EchoSign Cert to our keystore (via the keytool) on all our servers. It worked as expected, and the connection started working again. However, on one our webservers, it works, and then later that day stops being able to connect and I get I/O Exception: peer not authenticated when I try to CFHTTP to the HTTPS address. If I restart the server, it works again, and then stops working again later in the day. What the heck could cause that? My other webservers work without an issue. But this one seems to keep failing. The cert IS in the keystore... Any ideas? Brook ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358341 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP SSL Cert
When cfhttp is broken, can you drop the URL into your browser and have it work? Or is it broken there too? On Wed, Apr 16, 2014 at 12:27 PM, Brook Davies cft...@logiforms.com wrote: Hey Peeps, After heartbleed, I had to re-add the EchoSign Cert to our keystore (via the keytool) on all our servers. It worked as expected, and the connection started working again. However, on one our webservers, it works, and then later that day stops being able to connect and I get I/O Exception: peer not authenticated when I try to CFHTTP to the HTTPS address. If I restart the server, it works again, and then stops working again later in the day. What the heck could cause that? My other webservers work without an issue. But this one seems to keep failing. The cert IS in the keystore... Any ideas? Brook ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358342 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP SSL call returns Peer Not Authenticated
Is the server using a 2048 bit or higher key? I had a client with some issues connecting to twitter after they upgraded their SSL to 2048 bit, and the issue was resolved in this case by updating the CF9 server with the latest hotfixes (9.0.1 Cumulative Hotfix 4). I know you are on CF8, but you might still want to make sure you have applied all the hotfixes for CF8, and also update the JVM to the latest 1.6.x (since you are on CF8 you can't upgrade to java 1.7) you can find (sometimes SSL issues are bound to the jvm as well). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Feb 24, 2014 at 12:58 PM, David Phelan dphe...@emerginghealthit.com wrote: I have written a page that makes an SSL web service call using CFHTTP but I cannot seem to get the service to respond with anything other than Peer Not Authenticated. I have imported the certificates for the servers into the CF keystore and restarted the CF services. I found a post relating to a similar issue, but it is an issue in CF9 Enterprise only. I tried the workaround anyway to no avail. The call is being initiated by our servers in our DMZ to servers in our internal network for which we added a permanent route to our server. I can ping the server and get the replies. I can get the WSDL from the host server through the browser on the client server, but the call through CF fail. Any help would be appreciated. We are using CF8 on a win2k8 R2 server. David Phelan Web Developer IT Security Web Technologies Montefiore IT 3 Odell Plaza, Yonkers, NY 10701 914-457-6465 Office 862-234-9109 Cell dphe...@emerginghealthit.commailto:dphe...@emerginghealthit.com www.emerginghealthit.comhttp://www.emerginghealthit.com/ www.montefiore.orghttp://www.montefiore.org/ [Description: Montefiore IT logo] http://www.emerginghealthit.com/default.cfm ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357747 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CFHTTP SSL call returns Peer Not Authenticated
I have written a page that makes an SSL web service call using CFHTTP but I cannot seem to get the service to respond with anything other than Peer Not Authenticated. I have imported the certificates for the servers into the CF keystore and restarted the CF services. I found a post relating to a similar issue, but it is an issue in CF9 Enterprise only. I tried the workaround anyway to no avail. The call is being initiated by our servers in our DMZ to servers in our internal network for which we added a permanent route to our server. I can ping the server and get the replies. I can get the WSDL from the host server through the browser on the client server, but the call through CF fail. Any help would be appreciated. We are using CF8 on a win2k8 R2 server. David Phelan Web Developer IT Security Web Technologies Montefiore IT 3 Odell Plaza, Yonkers, NY 10701 914-457-6465 Office 862-234-9109 Cell dphe...@emerginghealthit.commailto:dphe...@emerginghealthit.com www.emerginghealthit.comhttp://www.emerginghealthit.com/ www.montefiore.orghttp://www.montefiore.org/ [Description: Montefiore IT logo]http://www.emerginghealthit.com/default.cfm ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357743 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible to optimise CFHTTP Response Time?
Very good question actually, we recently had networking issues on some of our vps hosts where customers were reporting the same type of issue. Low pings but slow httpîªresponses. Turns out the host nodes had traffic shaping configured which basically maxed at 1 Gb even though the physical network is all 100 Gb. During backups things simply slowed down due to the traffic shaping. Byron Mann Lead Engineer Architect HostMySite.com On Feb 19, 2014 8:45 AM, Mack mrsmith.w...@gmail.com wrote: On Thu, Feb 13, 2014 at 4:57 PM, Craig Brown craigpbr...@gmail.com wrote: I have an API running on my server where I can receive an average ping response to the host server of 1ms yet when I make a CFHTTP request to the host server it takes anywhere from 300-500ms to return a response. Are you by any chance on Amazon AWS ? Or maybe some other virtualized XEN solution ? -- Mack ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357722 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible to optimise CFHTTP Response Time?
On Thu, Feb 13, 2014 at 4:57 PM, Craig Brown craigpbr...@gmail.com wrote: I have an API running on my server where I can receive an average ping response to the host server of 1ms yet when I make a CFHTTP request to the host server it takes anywhere from 300-500ms to return a response. Are you by any chance on Amazon AWS ? Or maybe some other virtualized XEN solution ? -- Mack ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357690 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible to optimise CFHTTP Response Time?
I have an API running on my server where I can receive an average ping response to the host server of 1ms yet when I make a CFHTTP request to the host server it takes anywhere from 300-500ms to return a response. Anyone have any ideas what might be causing this latency, and how I could decrease it? From having a long read about online I think the length of time it is taking is perhaps down to each cfhttp request having to open a new https connection (although I'm passing a keep-alive connection request header) and closing the connection after each request completes? I know there's a HttpComponents library but I've only ever used CF tags so don't know if this is a possible solution to help me maintain a persistent https connection or how I'd even start going about implementing it? Do I put it inside a CFFunction, CFScript etc? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357685 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible to optimise CFHTTP Response Time?
From having a long read about online I think the length of time it is taking is perhaps down to each cfhttp request having to open a new https connection (although I'm passing a keep-alive connection request header) and closing the connection after each request completes? I know there's a HttpComponents library but I've only ever used CF tags so don't know if this is a possible solution to help me maintain a persistent https connection or how I'd even start going about implementing it? Do I put it inside a CFFunction, CFScript etc? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357686 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible to optimise CFHTTP Response Time?
I have an API running on my server where I can receive an average ping response to the host server of 1ms yet when I make a CFHTTP request to the host server it takes anywhere from 300-500ms to return a response. ... From having a long read about online I think the length of time it is taking is perhaps down to each cfhttp request having to open a new https connection (although I'm passing a keep-alive connection request header) and closing the connection after each request completes? I know there's a HttpComponents library but I've only ever used CF tags so don't know if this is a possible solution to help me maintain a persistent https connection or how I'd even start going about implementing it? Do I put it inside a CFFunction, CFScript etc? I'm not sure what you read, but it seems very unlikely to me that this is the cause of your problem. It's not going to take half a second to create a new HTTPS connection. In fact, I'm not sure you actually have a problem at all. Have you tested this API with anything else, like wget? I recommend you spend more time trying to figure out what the problem is - if there's a problem at all - before you start looking for solutions to the problem you've not yet defined. Right now, your problem definition is it's slower than I think it should be. You need to turn that into something more concrete. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357687 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Possible to optimise CFHTTP Response Time?
I have an API running on my server where I can receive an average ping response to the host server of 1ms yet when I make a CFHTTP request to the host server it takes anywhere from 300-500ms to return a response. Anyone have any ideas what might be causing this latency, and how I could decrease it? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357671 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible to optimise CFHTTP Response Time?
a cfhttp is not the same as a ping a ping simply sends a packet to the server and gets a response. cfhttp is requesting a page from the server, that request goes to the web server, then to cf, the page has to execute and then return all data back to your server, so the time taken depends on how long the page takes to process On Thu, Feb 13, 2014 at 2:57 PM, Craig Brown craigpbr...@gmail.com wrote: I have an API running on my server where I can receive an average ping response to the host server of 1ms yet when I make a CFHTTP request to the host server it takes anywhere from 300-500ms to return a response. Anyone have any ideas what might be causing this latency, and how I could decrease it? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357672 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible to optimise CFHTTP Response Time?
a cfhttp is not the same as a ping a ping simply sends a packet to the server and gets a response. cfhttp is requesting a page from the server, that request goes to the web server, then to cf, the page has to execute and then return all data back to your server, so the time taken depends on how long the page takes to process On Thu, Feb 13, 2014 at 2:57 PM, Craig Brown craigpbr...@gmail.com wrote: I'm not claiming that it is but I'm surprised that it's taking so long to process such a simple request (which is returning json) and was wondering if there's a way of optimising the request... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357673 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible to optimise CFHTTP Response Time?
if it is the page you are calling which is taking the time then no, because it is not the request which is the cause. A suggested you need to check how long the page you are requesting takes to execute before blaming the connection. On Thu, Feb 13, 2014 at 3:22 PM, Craig Brown craigpbr...@gmail.com wrote: a cfhttp is not the same as a ping a ping simply sends a packet to the server and gets a response. cfhttp is requesting a page from the server, that request goes to the web server, then to cf, the page has to execute and then return all data back to your server, so the time taken depends on how long the page takes to process On Thu, Feb 13, 2014 at 2:57 PM, Craig Brown craigpbr...@gmail.com wrote: I'm not claiming that it is but I'm surprised that it's taking so long to process such a simple request (which is returning json) and was wondering if there's a way of optimising the request... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357676 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible to optimise CFHTTP Response Time?
I have an API running on my server where I can receive an average ping response to the host server of 1ms yet when I make a CFHTTP request to the host server it takes anywhere from 300-500ms to return a response. Anyone have any ideas what might be causing this latency, and how I could decrease it? Do you control the API service? If so, it's like any other web program, and you can optimize it the same way you would any other web program - look for unnecessary work done at runtime, etc. If you don't control the API service, there isn't a lot you can do. There might be a problem with your machine's network connection. You could try making the request from another machine on a different network and see what happens. You don't need to use CFHTTP to test this kind of thing - you can use any HTTP client, including wget etc. And, as Russ mentioned, ping and HTTP times aren't connected in any useful way. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357680 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
If you use a centralised storage for all servers in your cluster then it is easy. Russ, thanks a lot for your response (somehow I missed it last week). I read the article you linked to about client variables (good read). Are you aware of any resources which discuss how one might implement a centralised storage setup like the one you describe? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357104 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
I did it once long ago when I was still a developer, it was probably on CF5 or 6. I will presume Windows is used here, if not, just translate tot he Unix equivalents. It is basically just a file server, network attached storage, a SAN or whatever you have available. You MAP a drive on your web servers to that NAS. You will need to run CF under a user account (not system) so it has access to mapped drives, but you should be doing this anyway for security. Now you simply have some code in your application.cfc or wherever is convenient which serializes a users SESSION scope to WDDX or JSON and stores it on that mapped drive whenever something changes. Then OnSessionStart, you look for that file (based on the sessionID in the cookie), and load in the session scope and serialize it. This will handle server restarts, crashes and failover to different servers as well as the file will get loaded if it exists. This also allows you to keep your sessions alive for much longer without having to store them in memory, or if you don't want to do that, just have a schedule which deletes any files with last modified times older than your desired session limit. The updating of the session file may be the tricky bit, as you will need to update any code which writes to the session scope. The way I did this back then was to have a CFSession custom tag or function which would do the session read/write and then serialize and re-save whenever a write occurs, or if your code is more modern this would be a config bean of some sort. I did load test this solution at the time and it made no noticeable difference to performance. I'm pretty sure I also compared saving to files vs saving to a database as well and saving to files performed better. Although nowadays you could probably use a NOSQL solution such as MongoDB instead. On Mon, Nov 18, 2013 at 3:56 PM, Brian FitzGerald bmfitzgera...@yahoo.comwrote: If you use a centralised storage for all servers in your cluster then it is easy. Russ, thanks a lot for your response (somehow I missed it last week). I read the article you linked to about client variables (good read). Are you aware of any resources which discuss how one might implement a centralised storage setup like the one you describe? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357105 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
Hey Dave, Thanks a lot for your response. Please see some comments inline below: Are you using clustering to support a larger number of users than a single server? Or are you using it to provide failover in case a server fails? Or both? The clustering is mainly for supporting a large number of users to route traffic to the less busy boxes. I think the failover you mention is also in place, but I don't think that's the primary reason for the cluster. If the former, there's nothing wrong with using sticky sessions, and you won't have to change your code. I'm hoping it's the former :) I guess that's what I'm getting at though... I'm sure you've done many applications that run on clustered servers, is using sticky sessions a common and accepted practice for using cfcs in a clustered environment? Or do larger applications like this just normally stick to the client scope and use the workarounds we've mentioned if they want to use persistent objects? I've worked at two shops with clustered servers and both just used client variables and did not have persisted cfcs. I'm not sure where your userService object would live on a cluster of servers Shoot. For some reason I was thinking this would be the easy part in the sense that for some reason I was thinking the application scope would be available across all the machines and I could just store my singletons in the application scope. i.e. application.userService, application.securityService, etc. But now that I think about it, will this not work either in a clustered environment? Shoot, how do you guys solve this stuff? I must be missing something because this is the way I have learned to design applications... it can't be that it simply doesn't hold up when clustering is introduced, can it? I'd probably just serialize objects, but I'd want to make sure that I'm not storing too much in these objects due to the overhead of this process. Hmm. So you are saying you would serialize objects that would typically be stored in the application and session scopes? But I need to be careful of storing too much in them... ? Shoot it sounds fragile, and I'm trying to introduce an updated code structure to the organization. I'd hate to bring some ideas in and then have it turn out that they are fragile or unworkable on a clustered server configuration. Thank you for any additional thoughts you are willing to share. Brian ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357085 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
I'm hoping it's the former :) I guess that's what I'm getting at though... I'm sure you've done many applications that run on clustered servers, is using sticky sessions a common and accepted practice for using cfcs in a clustered environment? Or do larger applications like this just normally stick to the client scope and use the workarounds we've mentioned if they want to use persistent objects? I've worked at two shops with clustered servers and both just used client variables and did not have persisted cfcs. Lots of people use sticky sessions to solve this problem. That doesn't provide failover, but if you're not doing something extremely critical where the user can just go elsewhere (ex: ecommerce) you might not need failover. I'm not sure where your userService object would live on a cluster of servers Shoot. For some reason I was thinking this would be the easy part in the sense that for some reason I was thinking the application scope would be available across all the machines and I could just store my singletons in the application scope. i.e. application.userService, application.securityService, etc. But now that I think about it, will this not work either in a clustered environment? Shoot, how do you guys solve this stuff? I must be missing something because this is the way I have learned to design applications... it can't be that it simply doesn't hold up when clustering is introduced, can it? Think about this for a minute. The application scope is in memory. So, no, it's not going to automatically synchronize with the application scope in memory on a different physical machine - even if you use session replication. I'd probably just serialize objects, but I'd want to make sure that I'm not storing too much in these objects due to the overhead of this process. Hmm. So you are saying you would serialize objects that would typically be stored in the application and session scopes? But I need to be careful of storing too much in them... ? Shoot it sounds fragile, and I'm trying to introduce an updated code structure to the organization. I'd hate to bring some ideas in and then have it turn out that they are fragile or unworkable on a clustered server configuration. Whether you use serialization and Client variables, or use session replication, you'll have the same potential problem - that data has to be transferred from one server to the other servers. So, if you have a lot of data, it's going to cost you, right? Things that are inexpensive when you have lots of local, fast storage become expensive when that storage is no longer local. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357086 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
If you use a centralised storage for all servers in your cluster then it is easy. You save session data to your san disk. And simply reload it if it gets lost due to switching servers. You can also achieve this with replication between local disks too. Remember the session is stored in a cookie just like clientid so that part of the process is the same. On 15 Nov 2013 19:55, Dave Watts dwa...@figleaf.com wrote: I'm hoping it's the former :) I guess that's what I'm getting at though... I'm sure you've done many applications that run on clustered servers, is using sticky sessions a common and accepted practice for using cfcs in a clustered environment? Or do larger applications like this just normally stick to the client scope and use the workarounds we've mentioned if they want to use persistent objects? I've worked at two shops with clustered servers and both just used client variables and did not have persisted cfcs. Lots of people use sticky sessions to solve this problem. That doesn't provide failover, but if you're not doing something extremely critical where the user can just go elsewhere (ex: ecommerce) you might not need failover. I'm not sure where your userService object would live on a cluster of servers Shoot. For some reason I was thinking this would be the easy part in the sense that for some reason I was thinking the application scope would be available across all the machines and I could just store my singletons in the application scope. i.e. application.userService, application.securityService, etc. But now that I think about it, will this not work either in a clustered environment? Shoot, how do you guys solve this stuff? I must be missing something because this is the way I have learned to design applications... it can't be that it simply doesn't hold up when clustering is introduced, can it? Think about this for a minute. The application scope is in memory. So, no, it's not going to automatically synchronize with the application scope in memory on a different physical machine - even if you use session replication. I'd probably just serialize objects, but I'd want to make sure that I'm not storing too much in these objects due to the overhead of this process. Hmm. So you are saying you would serialize objects that would typically be stored in the application and session scopes? But I need to be careful of storing too much in them... ? Shoot it sounds fragile, and I'm trying to introduce an updated code structure to the organization. I'd hate to bring some ideas in and then have it turn out that they are fragile or unworkable on a clustered server configuration. Whether you use serialization and Client variables, or use session replication, you'll have the same potential problem - that data has to be transferred from one server to the other servers. So, if you have a lot of data, it's going to cost you, right? Things that are inexpensive when you have lots of local, fast storage become expensive when that storage is no longer local. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357087 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
Lots of people use sticky sessions to solve this problem. That doesn't provide failover, but if you're not doing something extremely critical where the user can just go elsewhere (ex: ecommerce) you might not need failover. With sticky sessions, in the event that one server crashed, the users on that box would have their sessions killed and would basically get kicked out of the app and rerouted to the other server, is that right? That doesnât sound that bad to me considering weâre talking about a very rare situation (assuming things are setup correctly). Think about this for a minute. The application scope is in memory. So, no, it's not going to automatically synchronize with the application scope in memory on a different physical machine - even if you use session replication. Very true. Thanks for helping me get my thinking cap on, as these are just issues I havenât had to mess w/ yet. With that said, assuming your service objects were singletons and didnât have any session specific data, I donât see why you couldnât just have the same objects repeated in the application scope on each machine. userService, productService, securityService, etc⦠and then simply pass the data into them as needed... i.e., userService.saveUser(stickyUser) or userService.getUserById(2401). Wouldnât this work fine? Thanks again for your insight, it is invaluable to me. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357088 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
Lots of people use sticky sessions to solve this problem. That doesn't provide failover, but if you're not doing something extremely critical where the user can just go elsewhere (ex: ecommerce) you might not need failover. With sticky sessions, in the event that one server crashed, the users on that box would have their sessions killed and would basically get kicked out of the app and rerouted to the other server, is that right? That doesnt sound that bad to me considering were talking about a very rare situation (assuming things are setup correctly). That's correct, and for most applications I think this is an acceptable risk. The exception tends to be ecommerce applications, where a user might choose to use a competitor if the user's shopping cart is lost, etc. Think about this for a minute. The application scope is in memory. So, no, it's not going to automatically synchronize with the application scope in memory on a different physical machine - even if you use session replication. Very true. Thanks for helping me get my thinking cap on, as these are just issues I havent had to mess w/ yet. With that said, assuming your service objects were singletons and didnt have any session specific data, I dont see why you couldnt just have the same objects repeated in the application scope on each machine. userService, productService, securityService, etc and then simply pass the data into them as needed... i.e., userService.saveUser(stickyUser) or userService.getUserById(2401). Wouldnt this work fine? Yes, it would work - if you had a way to synchronize the data across servers. One way or another, you have to synchronize whatever data you want to use across servers. If your userService is populated at runtime on one server based on a user's authentication, for example, you'd have to have a way to tell the other servers that information. Thanks again for your insight, it is invaluable to me. You're welcome! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357089 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: issue with cfhttp and client certificates
Hi Jeff Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). I had the same yesterday. While searching for a solution I came first along your post here, unfortunately no solution. I found later a blog post from Jochem where he describes a similar problem but he has a different error. But as the key point about encoding problem is the same I gave it a try. Following the instruction about converting to pem, reordering certs and convert back to pfx solved the problem for me. (of course you pfx should contain the full cert chain) http://jochem.vandieten.net/2008/02/28/cfhttp-and-client-certificates/ Best Regards, Reto, centinated.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356822 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: issue with cfhttp and client certificates
Russ, Would changing the sys property for unsafe renegotiation allow the JVM to proceed if this was this issue? -Mark (I'm thinking of this arg -Dsun.security.ssl.allowUnsafeRenegotiation=true ) -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Thursday, July 25, 2013 6:25 PM To: cf-talk Subject: Re: issue with cfhttp and client certificates it should be noted that the minimum requirement for certs now is 2048bit, it is not even possible to generate a cert with less than this with most CSA's, so perhaps this is the issue, maybe 1024 is not even supported by java now. On Thu, Jul 25, 2013 at 11:52 PM, Jeff Garza j...@garzasixpack.com wrote: The .pfx is a RSA 1024 bit key. Nothing out of the usual. And this exact key worked just fine in a default install of CF9. -- Jeff Original Message From: Jon Clausen jon_clau...@silowebworks.com Sent: Thursday, July 25, 2013 3:29 PM To: cf-talk cf-talk@houseoffusion.com Subject: Re: issue with cfhttp and client certificates Long shot, but what is the key length on the encryption? Could it be an issue with the encryption capabilities currently set on the new JVM for CF10? Explanation: http://www.petefreitag.com/item/803.cfm On Jul 25, 2013, at 4:44 PM, Jeff Garza j...@garzasixpack.com wrote: Mark, On the CF9 Server we're at Java version 1.6.0_17 and the arguments from the CFAdmin look like the following: -server -Dsun.io.useCanonCaches=false -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.rootDir={application.home}/../ -Dcoldfusion.libPath={application.home}/../lib -Dcoldfusion.spooltimeout=120. On the CF10 server it's at Java version 1.7.0_15 and the args are: -server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.home={application.home} -Dcoldfusion.rootDir={application.home} -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dcoldfusion.spooltimeout=120 Though, based on the error, I don't think this is a handshake issue. It looks like an issue where the JVM can't even open the certificate file to pass the public key on to the server. Which is why this is so strange that CF9 with the older JVM would be able to do it, but the new one can't. --Jeff Original Message From: Mark A Kruger mkru...@cfwebtools.com Sent: Thursday, July 25, 2013 1:25 PM To: cf-talk cf-talk@houseoffusion.com Subject: RE: issue with cfhttp and client certificates Jeff, What JVM version are you using on CF9 and what do the args look like? Sometimes it's a matter of the handshake and levels of TLS/SSL - the error may be not specific enough to tell. You can enable logging to get a grip on it though. That would tell you more. -Mark -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 12:25 PM To: cf-talk Subject: issue with cfhttp and client certificates Ok, so here's the issue. A process that was working just fine on CF9 is now broken on CF10. We have a service that we call that requires us to submit a client certificate to the server. In CF9, this worked just fine. Use the clientcert and clientcertpass attributes of CFHTTP and you're good to go. It reads the .pfx file fine and everything runs... This is not a cacerts issue as you do not have to have the key in the keystore to use it. Forward to CF10, the exact same code and certificates now gives the error: Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). It's like it's unable to open the .pfx certificate file. I know this is a long shot since there are not many folks out there using client certs, but has anyone else run across this issue? Thanks, Jeff Garza ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356326 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: issue with cfhttp and client certificates
sorry no idea never tried, you would have to try it and see :-) On Fri, Jul 26, 2013 at 3:16 PM, Mark A Kruger mkru...@cfwebtools.comwrote: Russ, Would changing the sys property for unsafe renegotiation allow the JVM to proceed if this was this issue? -Mark (I'm thinking of this arg -Dsun.security.ssl.allowUnsafeRenegotiation=true ) -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Thursday, July 25, 2013 6:25 PM To: cf-talk Subject: Re: issue with cfhttp and client certificates it should be noted that the minimum requirement for certs now is 2048bit, it is not even possible to generate a cert with less than this with most CSA's, so perhaps this is the issue, maybe 1024 is not even supported by java now. On Thu, Jul 25, 2013 at 11:52 PM, Jeff Garza j...@garzasixpack.com wrote: The .pfx is a RSA 1024 bit key. Nothing out of the usual. And this exact key worked just fine in a default install of CF9. -- Jeff Original Message From: Jon Clausen jon_clau...@silowebworks.com Sent: Thursday, July 25, 2013 3:29 PM To: cf-talk cf-talk@houseoffusion.com Subject: Re: issue with cfhttp and client certificates Long shot, but what is the key length on the encryption? Could it be an issue with the encryption capabilities currently set on the new JVM for CF10? Explanation: http://www.petefreitag.com/item/803.cfm On Jul 25, 2013, at 4:44 PM, Jeff Garza j...@garzasixpack.com wrote: Mark, On the CF9 Server we're at Java version 1.6.0_17 and the arguments from the CFAdmin look like the following: -server -Dsun.io.useCanonCaches=false -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.rootDir={application.home}/../ -Dcoldfusion.libPath={application.home}/../lib -Dcoldfusion.spooltimeout=120. On the CF10 server it's at Java version 1.7.0_15 and the args are: -server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.home={application.home} -Dcoldfusion.rootDir={application.home} -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dcoldfusion.spooltimeout=120 Though, based on the error, I don't think this is a handshake issue. It looks like an issue where the JVM can't even open the certificate file to pass the public key on to the server. Which is why this is so strange that CF9 with the older JVM would be able to do it, but the new one can't. --Jeff Original Message From: Mark A Kruger mkru...@cfwebtools.com Sent: Thursday, July 25, 2013 1:25 PM To: cf-talk cf-talk@houseoffusion.com Subject: RE: issue with cfhttp and client certificates Jeff, What JVM version are you using on CF9 and what do the args look like? Sometimes it's a matter of the handshake and levels of TLS/SSL - the error may be not specific enough to tell. You can enable logging to get a grip on it though. That would tell you more. -Mark -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 12:25 PM To: cf-talk Subject: issue with cfhttp and client certificates Ok, so here's the issue. A process that was working just fine on CF9 is now broken on CF10. We have a service that we call that requires us to submit a client certificate to the server. In CF9, this worked just fine. Use the clientcert and clientcertpass attributes of CFHTTP and you're good to go. It reads the .pfx file fine and everything runs... This is not a cacerts issue as you do not have to have the key in the keystore to use it. Forward to CF10, the exact same code and certificates now gives the error: Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). It's like it's unable to open the .pfx certificate file. I know this is a long shot since there are not many folks out there using client certs, but has anyone else run across this issue? Thanks, Jeff Garza ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356327 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: issue with cfhttp and client certificates
Well, I've hinted at it as a possible solution a couple times but I lack confidence (ha). Jeff - give it a shot. It's easy and you never know. -Mark -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Friday, July 26, 2013 9:18 AM To: cf-talk Subject: Re: issue with cfhttp and client certificates sorry no idea never tried, you would have to try it and see :-) On Fri, Jul 26, 2013 at 3:16 PM, Mark A Kruger mkru...@cfwebtools.comwrote: Russ, Would changing the sys property for unsafe renegotiation allow the JVM to proceed if this was this issue? -Mark (I'm thinking of this arg -Dsun.security.ssl.allowUnsafeRenegotiation=true ) -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Thursday, July 25, 2013 6:25 PM To: cf-talk Subject: Re: issue with cfhttp and client certificates it should be noted that the minimum requirement for certs now is 2048bit, it is not even possible to generate a cert with less than this with most CSA's, so perhaps this is the issue, maybe 1024 is not even supported by java now. On Thu, Jul 25, 2013 at 11:52 PM, Jeff Garza j...@garzasixpack.com wrote: The .pfx is a RSA 1024 bit key. Nothing out of the usual. And this exact key worked just fine in a default install of CF9. -- Jeff Original Message From: Jon Clausen jon_clau...@silowebworks.com Sent: Thursday, July 25, 2013 3:29 PM To: cf-talk cf-talk@houseoffusion.com Subject: Re: issue with cfhttp and client certificates Long shot, but what is the key length on the encryption? Could it be an issue with the encryption capabilities currently set on the new JVM for CF10? Explanation: http://www.petefreitag.com/item/803.cfm On Jul 25, 2013, at 4:44 PM, Jeff Garza j...@garzasixpack.com wrote: Mark, On the CF9 Server we're at Java version 1.6.0_17 and the arguments from the CFAdmin look like the following: -server -Dsun.io.useCanonCaches=false -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.rootDir={application.home}/../ -Dcoldfusion.libPath={application.home}/../lib -Dcoldfusion.spooltimeout=120. On the CF10 server it's at Java version 1.7.0_15 and the args are: -server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.home={application.home} -Dcoldfusion.rootDir={application.home} -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dcoldfusion.spooltimeout=120 Though, based on the error, I don't think this is a handshake issue. It looks like an issue where the JVM can't even open the certificate file to pass the public key on to the server. Which is why this is so strange that CF9 with the older JVM would be able to do it, but the new one can't. --Jeff Original Message From: Mark A Kruger mkru...@cfwebtools.com Sent: Thursday, July 25, 2013 1:25 PM To: cf-talk cf-talk@houseoffusion.com Subject: RE: issue with cfhttp and client certificates Jeff, What JVM version are you using on CF9 and what do the args look like? Sometimes it's a matter of the handshake and levels of TLS/SSL - the error may be not specific enough to tell. You can enable logging to get a grip on it though. That would tell you more. -Mark -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 12:25 PM To: cf-talk Subject: issue with cfhttp and client certificates Ok, so here's the issue. A process that was working just fine on CF9 is now broken on CF10. We have a service that we call that requires us to submit a client certificate to the server. In CF9, this worked just fine. Use the clientcert and clientcertpass attributes of CFHTTP and you're good to go. It reads the .pfx file fine and everything runs... This is not a cacerts issue as you do not have to have the key in the keystore to use it. Forward to CF10, the exact same code and certificates now gives the error: Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). It's like it's unable to open the .pfx certificate file. I know this is a long shot since there are not many folks out there using client certs, but has anyone else run across this issue? Thanks, Jeff Garza ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive
issue with cfhttp and client certificates
Ok, so here's the issue. A process that was working just fine on CF9 is now broken on CF10. We have a service that we call that requires us to submit a client certificate to the server. In CF9, this worked just fine. Use the clientcert and clientcertpass attributes of CFHTTP and you're good to go. It reads the .pfx file fine and everything runs... This is not a cacerts issue as you do not have to have the key in the keystore to use it. Forward to CF10, the exact same code and certificates now gives the error: Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). It's like it's unable to open the .pfx certificate file. I know this is a long shot since there are not many folks out there using client certs, but has anyone else run across this issue? Thanks, Jeff Garza ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356316 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: issue with cfhttp and client certificates
Jeff, What JVM version are you using on CF9 and what do the args look like? Sometimes it's a matter of the handshake and levels of TLS/SSL - the error may be not specific enough to tell. You can enable logging to get a grip on it though. That would tell you more. -Mark -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 12:25 PM To: cf-talk Subject: issue with cfhttp and client certificates Ok, so here's the issue. A process that was working just fine on CF9 is now broken on CF10. We have a service that we call that requires us to submit a client certificate to the server. In CF9, this worked just fine. Use the clientcert and clientcertpass attributes of CFHTTP and you're good to go. It reads the .pfx file fine and everything runs... This is not a cacerts issue as you do not have to have the key in the keystore to use it. Forward to CF10, the exact same code and certificates now gives the error: Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). It's like it's unable to open the .pfx certificate file. I know this is a long shot since there are not many folks out there using client certs, but has anyone else run across this issue? Thanks, Jeff Garza ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356317 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: issue with cfhttp and client certificates
Mark, On the CF9 Server we're at Java version 1.6.0_17 and the arguments from the CFAdmin look like the following: -server -Dsun.io.useCanonCaches=false -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.rootDir={application.home}/../ -Dcoldfusion.libPath={application.home}/../lib -Dcoldfusion.spooltimeout=120. On the CF10 server it's at Java version 1.7.0_15 and the args are: -server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.home={application.home} -Dcoldfusion.rootDir={application.home} -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dcoldfusion.spooltimeout=120 Though, based on the error, I don't think this is a handshake issue. It looks like an issue where the JVM can't even open the certificate file to pass the public key on to the server. Which is why this is so strange that CF9 with the older JVM would be able to do it, but the new one can't. --Jeff Original Message From: Mark A Kruger mkru...@cfwebtools.com Sent: Thursday, July 25, 2013 1:25 PM To: cf-talk cf-talk@houseoffusion.com Subject: RE: issue with cfhttp and client certificates Jeff, What JVM version are you using on CF9 and what do the args look like? Sometimes it's a matter of the handshake and levels of TLS/SSL - the error may be not specific enough to tell. You can enable logging to get a grip on it though. That would tell you more. -Mark -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 12:25 PM To: cf-talk Subject: issue with cfhttp and client certificates Ok, so here's the issue. A process that was working just fine on CF9 is now broken on CF10. We have a service that we call that requires us to submit a client certificate to the server. In CF9, this worked just fine. Use the clientcert and clientcertpass attributes of CFHTTP and you're good to go. It reads the .pfx file fine and everything runs... This is not a cacerts issue as you do not have to have the key in the keystore to use it. Forward to CF10, the exact same code and certificates now gives the error: Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). It's like it's unable to open the .pfx certificate file. I know this is a long shot since there are not many folks out there using client certs, but has anyone else run across this issue? Thanks, Jeff Garza ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356318 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: issue with cfhttp and client certificates
Weird. I would trial and error a few things. Check the keystore on CF9 with the list function and compare with CF10 ... see if anythings missing that missed your docs :) Try removing the jsafe setting below. Make sure your CF install has access to the folder containing the certs and can read them. Not sure I have anything to add. -Mark -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 3:45 PM To: cf-talk Subject: RE: issue with cfhttp and client certificates Mark, On the CF9 Server we're at Java version 1.6.0_17 and the arguments from the CFAdmin look like the following: -server -Dsun.io.useCanonCaches=false -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.rootDir={application.home}/../ -Dcoldfusion.libPath={application.home}/../lib -Dcoldfusion.spooltimeout=120. On the CF10 server it's at Java version 1.7.0_15 and the args are: -server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.home={application.home} -Dcoldfusion.rootDir={application.home} -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dcoldfusion.spooltimeout=120 Though, based on the error, I don't think this is a handshake issue. It looks like an issue where the JVM can't even open the certificate file to pass the public key on to the server. Which is why this is so strange that CF9 with the older JVM would be able to do it, but the new one can't. --Jeff Original Message From: Mark A Kruger mkru...@cfwebtools.com Sent: Thursday, July 25, 2013 1:25 PM To: cf-talk cf-talk@houseoffusion.com Subject: RE: issue with cfhttp and client certificates Jeff, What JVM version are you using on CF9 and what do the args look like? Sometimes it's a matter of the handshake and levels of TLS/SSL - the error may be not specific enough to tell. You can enable logging to get a grip on it though. That would tell you more. -Mark -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 12:25 PM To: cf-talk Subject: issue with cfhttp and client certificates Ok, so here's the issue. A process that was working just fine on CF9 is now broken on CF10. We have a service that we call that requires us to submit a client certificate to the server. In CF9, this worked just fine. Use the clientcert and clientcertpass attributes of CFHTTP and you're good to go. It reads the .pfx file fine and everything runs... This is not a cacerts issue as you do not have to have the key in the keystore to use it. Forward to CF10, the exact same code and certificates now gives the error: Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). It's like it's unable to open the .pfx certificate file. I know this is a long shot since there are not many folks out there using client certs, but has anyone else run across this issue? Thanks, Jeff Garza ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356319 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: issue with cfhttp and client certificates
you don;t by any chance have a blank password/no password on the pfx file do you ? On Thu, Jul 25, 2013 at 9:24 PM, Mark A Kruger mkru...@cfwebtools.comwrote: Jeff, What JVM version are you using on CF9 and what do the args look like? Sometimes it's a matter of the handshake and levels of TLS/SSL - the error may be not specific enough to tell. You can enable logging to get a grip on it though. That would tell you more. -Mark -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 12:25 PM To: cf-talk Subject: issue with cfhttp and client certificates Ok, so here's the issue. A process that was working just fine on CF9 is now broken on CF10. We have a service that we call that requires us to submit a client certificate to the server. In CF9, this worked just fine. Use the clientcert and clientcertpass attributes of CFHTTP and you're good to go. It reads the .pfx file fine and everything runs... This is not a cacerts issue as you do not have to have the key in the keystore to use it. Forward to CF10, the exact same code and certificates now gives the error: Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). It's like it's unable to open the .pfx certificate file. I know this is a long shot since there are not many folks out there using client certs, but has anyone else run across this issue? Thanks, Jeff Garza ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356320 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: issue with cfhttp and client certificates
No, the .pfx file has a password. What's weird is that we even tried importing to Windows' key repository and re-exporting as a pfx with a different password and that file wouldn't work either. It crashed with the same error. I'm really thinking that this may be a bug in how this new version of Java and/or Apache handles client certs... I guess I'm off to Adobe support to see what they have to say about it. -- Jeff -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Thursday, July 25, 2013 2:34 PM To: cf-talk Subject: Re: issue with cfhttp and client certificates you don;t by any chance have a blank password/no password on the pfx file do you ? On Thu, Jul 25, 2013 at 9:24 PM, Mark A Kruger mkru...@cfwebtools.comwrote: Jeff, What JVM version are you using on CF9 and what do the args look like? Sometimes it's a matter of the handshake and levels of TLS/SSL - the error may be not specific enough to tell. You can enable logging to get a grip on it though. That would tell you more. -Mark -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 12:25 PM To: cf-talk Subject: issue with cfhttp and client certificates Ok, so here's the issue. A process that was working just fine on CF9 is now broken on CF10. We have a service that we call that requires us to submit a client certificate to the server. In CF9, this worked just fine. Use the clientcert and clientcertpass attributes of CFHTTP and you're good to go. It reads the .pfx file fine and everything runs... This is not a cacerts issue as you do not have to have the key in the keystore to use it. Forward to CF10, the exact same code and certificates now gives the error: Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). It's like it's unable to open the .pfx certificate file. I know this is a long shot since there are not many folks out there using client certs, but has anyone else run across this issue? Thanks, Jeff Garza ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356321 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: issue with cfhttp and client certificates
Long shot, but what is the key length on the encryption? Could it be an issue with the encryption capabilities currently set on the new JVM for CF10? Explanation: http://www.petefreitag.com/item/803.cfm On Jul 25, 2013, at 4:44 PM, Jeff Garza j...@garzasixpack.com wrote: Mark, On the CF9 Server we're at Java version 1.6.0_17 and the arguments from the CFAdmin look like the following: -server -Dsun.io.useCanonCaches=false -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.rootDir={application.home}/../ -Dcoldfusion.libPath={application.home}/../lib -Dcoldfusion.spooltimeout=120. On the CF10 server it's at Java version 1.7.0_15 and the args are: -server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.home={application.home} -Dcoldfusion.rootDir={application.home} -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dcoldfusion.spooltimeout=120 Though, based on the error, I don't think this is a handshake issue. It looks like an issue where the JVM can't even open the certificate file to pass the public key on to the server. Which is why this is so strange that CF9 with the older JVM would be able to do it, but the new one can't. --Jeff Original Message From: Mark A Kruger mkru...@cfwebtools.com Sent: Thursday, July 25, 2013 1:25 PM To: cf-talk cf-talk@houseoffusion.com Subject: RE: issue with cfhttp and client certificates Jeff, What JVM version are you using on CF9 and what do the args look like? Sometimes it's a matter of the handshake and levels of TLS/SSL - the error may be not specific enough to tell. You can enable logging to get a grip on it though. That would tell you more. -Mark -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 12:25 PM To: cf-talk Subject: issue with cfhttp and client certificates Ok, so here's the issue. A process that was working just fine on CF9 is now broken on CF10. We have a service that we call that requires us to submit a client certificate to the server. In CF9, this worked just fine. Use the clientcert and clientcertpass attributes of CFHTTP and you're good to go. It reads the .pfx file fine and everything runs... This is not a cacerts issue as you do not have to have the key in the keystore to use it. Forward to CF10, the exact same code and certificates now gives the error: Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). It's like it's unable to open the .pfx certificate file. I know this is a long shot since there are not many folks out there using client certs, but has anyone else run across this issue? Thanks, Jeff Garza ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356322 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: issue with cfhttp and client certificates
Good point. Here is the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html On 7/25/13 2:52 PM, Jon Clausen wrote: Long shot, but what is the key length on the encryption? Could it be an issue with the encryption capabilities currently set on the new JVM for CF10? Explanation: http://www.petefreitag.com/item/803.cfm On Jul 25, 2013, at 4:44 PM, Jeff Garza j...@garzasixpack.com wrote: Mark, On the CF9 Server we're at Java version 1.6.0_17 and the arguments from the CFAdmin look like the following: -server -Dsun.io.useCanonCaches=false -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.rootDir={application.home}/../ -Dcoldfusion.libPath={application.home}/../lib -Dcoldfusion.spooltimeout=120. On the CF10 server it's at Java version 1.7.0_15 and the args are: -server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.home={application.home} -Dcoldfusion.rootDir={application.home} -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dcoldfusion.spooltimeout=120 Though, based on the error, I don't think this is a handshake issue. It looks like an issue where the JVM can't even open the certificate file to pass the public key on to the server. Which is why this is so strange that CF9 with the older JVM would be able to do it, but the new one can't. --Jeff Original Message From: Mark A Kruger mkru...@cfwebtools.com Sent: Thursday, July 25, 2013 1:25 PM To: cf-talk cf-talk@houseoffusion.com Subject: RE: issue with cfhttp and client certificates Jeff, What JVM version are you using on CF9 and what do the args look like? Sometimes it's a matter of the handshake and levels of TLS/SSL - the error may be not specific enough to tell. You can enable logging to get a grip on it though. That would tell you more. -Mark -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 12:25 PM To: cf-talk Subject: issue with cfhttp and client certificates Ok, so here's the issue. A process that was working just fine on CF9 is now broken on CF10. We have a service that we call that requires us to submit a client certificate to the server. In CF9, this worked just fine. Use the clientcert and clientcertpass attributes of CFHTTP and you're good to go. It reads the .pfx file fine and everything runs... This is not a cacerts issue as you do not have to have the key in the keystore to use it. Forward to CF10, the exact same code and certificates now gives the error: Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). It's like it's unable to open the .pfx certificate file. I know this is a long shot since there are not many folks out there using client certs, but has anyone else run across this issue? Thanks, Jeff Garza ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356323 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: issue with cfhttp and client certificates
The .pfx is a RSA 1024 bit key. Nothing out of the usual. And this exact key worked just fine in a default install of CF9. -- Jeff Original Message From: Jon Clausen jon_clau...@silowebworks.com Sent: Thursday, July 25, 2013 3:29 PM To: cf-talk cf-talk@houseoffusion.com Subject: Re: issue with cfhttp and client certificates Long shot, but what is the key length on the encryption? Could it be an issue with the encryption capabilities currently set on the new JVM for CF10? Explanation: http://www.petefreitag.com/item/803.cfm On Jul 25, 2013, at 4:44 PM, Jeff Garza j...@garzasixpack.com wrote: Mark, On the CF9 Server we're at Java version 1.6.0_17 and the arguments from the CFAdmin look like the following: -server -Dsun.io.useCanonCaches=false -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.rootDir={application.home}/../ -Dcoldfusion.libPath={application.home}/../lib -Dcoldfusion.spooltimeout=120. On the CF10 server it's at Java version 1.7.0_15 and the args are: -server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.home={application.home} -Dcoldfusion.rootDir={application.home} -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dcoldfusion.spooltimeout=120 Though, based on the error, I don't think this is a handshake issue. It looks like an issue where the JVM can't even open the certificate file to pass the public key on to the server. Which is why this is so strange that CF9 with the older JVM would be able to do it, but the new one can't. --Jeff Original Message From: Mark A Kruger mkru...@cfwebtools.com Sent: Thursday, July 25, 2013 1:25 PM To: cf-talk cf-talk@houseoffusion.com Subject: RE: issue with cfhttp and client certificates Jeff, What JVM version are you using on CF9 and what do the args look like? Sometimes it's a matter of the handshake and levels of TLS/SSL - the error may be not specific enough to tell. You can enable logging to get a grip on it though. That would tell you more. -Mark -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 12:25 PM To: cf-talk Subject: issue with cfhttp and client certificates Ok, so here's the issue. A process that was working just fine on CF9 is now broken on CF10. We have a service that we call that requires us to submit a client certificate to the server. In CF9, this worked just fine. Use the clientcert and clientcertpass attributes of CFHTTP and you're good to go. It reads the .pfx file fine and everything runs... This is not a cacerts issue as you do not have to have the key in the keystore to use it. Forward to CF10, the exact same code and certificates now gives the error: Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). It's like it's unable to open the .pfx certificate file. I know this is a long shot since there are not many folks out there using client certs, but has anyone else run across this issue? Thanks, Jeff Garza ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356324 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: issue with cfhttp and client certificates
it should be noted that the minimum requirement for certs now is 2048bit, it is not even possible to generate a cert with less than this with most CSA's, so perhaps this is the issue, maybe 1024 is not even supported by java now. On Thu, Jul 25, 2013 at 11:52 PM, Jeff Garza j...@garzasixpack.com wrote: The .pfx is a RSA 1024 bit key. Nothing out of the usual. And this exact key worked just fine in a default install of CF9. -- Jeff Original Message From: Jon Clausen jon_clau...@silowebworks.com Sent: Thursday, July 25, 2013 3:29 PM To: cf-talk cf-talk@houseoffusion.com Subject: Re: issue with cfhttp and client certificates Long shot, but what is the key length on the encryption? Could it be an issue with the encryption capabilities currently set on the new JVM for CF10? Explanation: http://www.petefreitag.com/item/803.cfm On Jul 25, 2013, at 4:44 PM, Jeff Garza j...@garzasixpack.com wrote: Mark, On the CF9 Server we're at Java version 1.6.0_17 and the arguments from the CFAdmin look like the following: -server -Dsun.io.useCanonCaches=false -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.rootDir={application.home}/../ -Dcoldfusion.libPath={application.home}/../lib -Dcoldfusion.spooltimeout=120. On the CF10 server it's at Java version 1.7.0_15 and the args are: -server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch -Dcoldfusion.home={application.home} -Dcoldfusion.rootDir={application.home} -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dcoldfusion.spooltimeout=120 Though, based on the error, I don't think this is a handshake issue. It looks like an issue where the JVM can't even open the certificate file to pass the public key on to the server. Which is why this is so strange that CF9 with the older JVM would be able to do it, but the new one can't. --Jeff Original Message From: Mark A Kruger mkru...@cfwebtools.com Sent: Thursday, July 25, 2013 1:25 PM To: cf-talk cf-talk@houseoffusion.com Subject: RE: issue with cfhttp and client certificates Jeff, What JVM version are you using on CF9 and what do the args look like? Sometimes it's a matter of the handshake and levels of TLS/SSL - the error may be not specific enough to tell. You can enable logging to get a grip on it though. That would tell you more. -Mark -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: Thursday, July 25, 2013 12:25 PM To: cf-talk Subject: issue with cfhttp and client certificates Ok, so here's the issue. A process that was working just fine on CF9 is now broken on CF10. We have a service that we call that requires us to submit a client certificate to the server. In CF9, this worked just fine. Use the clientcert and clientcertpass attributes of CFHTTP and you're good to go. It reads the .pfx file fine and everything runs... This is not a cacerts issue as you do not have to have the key in the keystore to use it. Forward to CF10, the exact same code and certificates now gives the error: Error while trying to get the SSL client certificate: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decode key from BER. (Invalid encoding: expected tag not there. ). It's like it's unable to open the .pfx certificate file. I know this is a long shot since there are not many folks out there using client certs, but has anyone else run across this issue? Thanks, Jeff Garza ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356325 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: cfhttp geolocation
It appears that does not work. Trying my farkakte cookies idea... On Wed, Jan 30, 2013 at 5:22 PM, Dave Watts dwa...@figleaf.com wrote: I understand that Google, etc tries to determine your location via IP, nearby wifi, etc (i.e. http://support.google.com/maps/bin/answer.py?hl=enanswer=153807 ) I'm wondering how to override this behavior via cfhttp. My first attempt was to use: http://tools.ietf.org/html/draft-thomson-geopriv-http-geolocation-00 ...as follows: cfhttpparam type=header name=Geolocation value=geo:[lat],[lon] ...where [lat],[lon] is elsewhere. This appeared to be ignored. Any ideas? Is your goal to pass the user's location to Google instead of your server's? if so, I'd try just sending an X-Forwarded-For HTTP request header. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354225 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: cfhttp geolocation
...which seems like it might be working. On Fri, Feb 1, 2013 at 3:43 PM, John M Bliss bliss.j...@gmail.com wrote: It appears that does not work. Trying my farkakte cookies idea... On Wed, Jan 30, 2013 at 5:22 PM, Dave Watts dwa...@figleaf.com wrote: I understand that Google, etc tries to determine your location via IP, nearby wifi, etc (i.e. http://support.google.com/maps/bin/answer.py?hl=enanswer=153807 ) I'm wondering how to override this behavior via cfhttp. My first attempt was to use: http://tools.ietf.org/html/draft-thomson-geopriv-http-geolocation-00 ...as follows: cfhttpparam type=header name=Geolocation value=geo:[lat],[lon] ...where [lat],[lon] is elsewhere. This appeared to be ignored. Any ideas? Is your goal to pass the user's location to Google instead of your server's? if so, I'd try just sending an X-Forwarded-For HTTP request header. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354226 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
SOT: cfhttp geolocation
I understand that Google, etc tries to determine your location via IP, nearby wifi, etc (i.e. http://support.google.com/maps/bin/answer.py?hl=enanswer=153807 ) I'm wondering how to override this behavior via cfhttp. My first attempt was to use: http://tools.ietf.org/html/draft-thomson-geopriv-http-geolocation-00 ...as follows: cfhttpparam type=header name=Geolocation value=geo:[lat],[lon] ...where [lat],[lon] is elsewhere. This appeared to be ignored. Any ideas? -- John Bliss - http://about.me/jbliss ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354172 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: cfhttp geolocation
Clunky but I thought of a potential solution (at least for Google): 1. new browser session, logged out of Google, clear all cookies 2. Google something like local florist 3. click Options, Search settings, Location, and specify a new location 4. copy all resulting cookies into cfhttpparams Will advise as to whether that works. Happy to hear other ideas... On Wed, Jan 30, 2013 at 3:53 PM, John M Bliss bliss.j...@gmail.com wrote: I understand that Google, etc tries to determine your location via IP, nearby wifi, etc (i.e. http://support.google.com/maps/bin/answer.py?hl=enanswer=153807 ) I'm wondering how to override this behavior via cfhttp. My first attempt was to use: http://tools.ietf.org/html/draft-thomson-geopriv-http-geolocation-00 ...as follows: cfhttpparam type=header name=Geolocation value=geo:[lat],[lon] ...where [lat],[lon] is elsewhere. This appeared to be ignored. Any ideas? -- John Bliss - http://about.me/jbliss -- John Bliss - http://about.me/jbliss ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354173 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: cfhttp geolocation
I understand that Google, etc tries to determine your location via IP, nearby wifi, etc (i.e. http://support.google.com/maps/bin/answer.py?hl=enanswer=153807 ) I'm wondering how to override this behavior via cfhttp. My first attempt was to use: http://tools.ietf.org/html/draft-thomson-geopriv-http-geolocation-00 ...as follows: cfhttpparam type=header name=Geolocation value=geo:[lat],[lon] ...where [lat],[lon] is elsewhere. This appeared to be ignored. Any ideas? Is your goal to pass the user's location to Google instead of your server's? if so, I'd try just sending an X-Forwarded-For HTTP request header. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354175 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
https connection issues using cfhttp
Hi Guys, I've been wrestling with a problem calling a SOAP Web Service using cfhttp. The endpoint is an https URL to a server IP, not a host name. We are running MX7. Initially when I tried connecting I got the usual error response from an untrusted authority source: ErrorDetail: I/O Exception: peer not authenticated Usually when this happens we download the certificate (DER format saved as a .cer file) from the site using a browser and add it to the Java SDK truststore using the keytool -import command in the jrun/jre/lib folder. This all went ok and I can see the certificate when I list them using the keytool - list... command. This changed the error response to: ErrorDetail: I/O Exception: Name in certificate `hub' does not match host name `187.141.14.122' My first issue is very common and usually easy to resolve, but the latter has caused a lot of head banging. What I can tell is that it seems to be self signed certificate and feel this might be part of the problem. Any ideas? Regards, Ian. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353950 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: https connection issues using cfhttp
Is the ssl cert actually for the ip address, the error says it is for hub Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Jan 17, 2013 3:12 PM, Ian Chapman ian.chap...@melodimedia.co.uk wrote: Hi Guys, I've been wrestling with a problem calling a SOAP Web Service using cfhttp. The endpoint is an https URL to a server IP, not a host name. We are running MX7. Initially when I tried connecting I got the usual error response from an untrusted authority source: ErrorDetail: I/O Exception: peer not authenticated Usually when this happens we download the certificate (DER format saved as a .cer file) from the site using a browser and add it to the Java SDK truststore using the keytool -import command in the jrun/jre/lib folder. This all went ok and I can see the certificate when I list them using the keytool - list... command. This changed the error response to: ErrorDetail: I/O Exception: Name in certificate `hub' does not match host name `187.141.14.122' My first issue is very common and usually easy to resolve, but the latter has caused a lot of head banging. What I can tell is that it seems to be self signed certificate and feel this might be part of the problem. Any ideas? Regards, Ian. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353951 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
re: https connection issues using cfhttp
You are going to have to edit your hosts file and create a pointer for hub that directs it to 187.141.14.122. Then when you call the webservice, you'll use https://hub/...; to access it. I've been through this before as well and this should do it after you've imported the certificate from the site. -- Jeff Original Message From: Ian Chapman ian.chap...@melodimedia.co.uk Sent: Thursday, January 17, 2013 8:13 AM To: cf-talk cf-talk@houseoffusion.com Subject: https connection issues using cfhttp Hi Guys, I've been wrestling with a problem calling a SOAP Web Service using cfhttp. The endpoint is an https URL to a server IP, not a host name. We are running MX7. Initially when I tried connecting I got the usual error response from an untrusted authority source: ErrorDetail: I/O Exception: peer not authenticated Usually when this happens we download the certificate (DER format saved as a .cer file) from the site using a browser and add it to the Java SDK truststore using the keytool -import command in the jrun/jre/lib folder. This all went ok and I can see the certificate when I list them using the keytool - list... command. This changed the error response to: ErrorDetail: I/O Exception: Name in certificate `hub' does not match host name `187.141.14.122' My first issue is very common and usually easy to resolve, but the latter has caused a lot of head banging. What I can tell is that it seems to be self signed certificate and feel this might be part of the problem. Any ideas? Regards, Ian. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353952 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: https connection issues using cfhttp
Hi Russ, When saving the file from Firefox it gets saved by default as HUB.cer. And that's what I imported into the keystore. I did as a test tried saving as 187.141.14.122.cer but the filename is obviously arbitrary so didn't help. When I look at the certificate in Windows it says issued to HUB and issued by HUB. But I'm not sure how you'd create a certificate issued from 187.141.14.122. This is the end point so you can see the certificate in question if it helps. https://187.141.14.122:443/asg/services/SubscribeProductService Regards, Ian. -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: 17 January 2013 15:30 To: cf-talk Subject: Re: https connection issues using cfhttp Is the ssl cert actually for the ip address, the error says it is for hub Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Jan 17, 2013 3:12 PM, Ian Chapman ian.chap...@melodimedia.co.uk wrote: Hi Guys, I've been wrestling with a problem calling a SOAP Web Service using cfhttp. The endpoint is an https URL to a server IP, not a host name. We are running MX7. Initially when I tried connecting I got the usual error response from an untrusted authority source: ErrorDetail: I/O Exception: peer not authenticated Usually when this happens we download the certificate (DER format saved as a .cer file) from the site using a browser and add it to the Java SDK truststore using the keytool -import command in the jrun/jre/lib folder. This all went ok and I can see the certificate when I list them using the keytool - list... command. This changed the error response to: ErrorDetail: I/O Exception: Name in certificate `hub' does not match host name `187.141.14.122' My first issue is very common and usually easy to resolve, but the latter has caused a lot of head banging. What I can tell is that it seems to be self signed certificate and feel this might be part of the problem. Any ideas? Regards, Ian. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353953 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: https connection issues using cfhttp
+1 what Jeff said. Dealt with this same issue here: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:64157 On Thu, Jan 17, 2013 at 9:37 AM, Jeff Garza j...@garzasixpack.com wrote: You are going to have to edit your hosts file and create a pointer for hub that directs it to 187.141.14.122. Then when you call the webservice, you'll use https://hub/...; to access it. I've been through this before as well and this should do it after you've imported the certificate from the site. -- Jeff Original Message From: Ian Chapman ian.chap...@melodimedia.co.uk Sent: Thursday, January 17, 2013 8:13 AM To: cf-talk cf-talk@houseoffusion.com Subject: https connection issues using cfhttp Hi Guys, I've been wrestling with a problem calling a SOAP Web Service using cfhttp. The endpoint is an https URL to a server IP, not a host name. We are running MX7. Initially when I tried connecting I got the usual error response from an untrusted authority source: ErrorDetail: I/O Exception: peer not authenticated Usually when this happens we download the certificate (DER format saved as a .cer file) from the site using a browser and add it to the Java SDK truststore using the keytool -import command in the jrun/jre/lib folder. This all went ok and I can see the certificate when I list them using the keytool - list... command. This changed the error response to: ErrorDetail: I/O Exception: Name in certificate `hub' does not match host name `187.141.14.122' My first issue is very common and usually easy to resolve, but the latter has caused a lot of head banging. What I can tell is that it seems to be self signed certificate and feel this might be part of the problem. Any ideas? Regards, Ian. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353954 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: https connection issues using cfhttp
that is your problem then, the cert does not match the hostname. so here are the options 1. create a hosts entry as others have said 2. get the person running the web service to assign a domain or sub-domain to it and create a cert for that domain. On Thu, Jan 17, 2013 at 3:46 PM, Ian Chapman ian.chap...@melodimedia.co.ukwrote: Hi Russ, When saving the file from Firefox it gets saved by default as HUB.cer. And that's what I imported into the keystore. I did as a test tried saving as 187.141.14.122.cer but the filename is obviously arbitrary so didn't help. When I look at the certificate in Windows it says issued to HUB and issued by HUB. But I'm not sure how you'd create a certificate issued from 187.141.14.122. This is the end point so you can see the certificate in question if it helps. https://187.141.14.122:443/asg/services/SubscribeProductService Regards, Ian. -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: 17 January 2013 15:30 To: cf-talk Subject: Re: https connection issues using cfhttp Is the ssl cert actually for the ip address, the error says it is for hub Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com- CF search engine On Jan 17, 2013 3:12 PM, Ian Chapman ian.chap...@melodimedia.co.uk wrote: Hi Guys, I've been wrestling with a problem calling a SOAP Web Service using cfhttp. The endpoint is an https URL to a server IP, not a host name. We are running MX7. Initially when I tried connecting I got the usual error response from an untrusted authority source: ErrorDetail: I/O Exception: peer not authenticated Usually when this happens we download the certificate (DER format saved as a .cer file) from the site using a browser and add it to the Java SDK truststore using the keytool -import command in the jrun/jre/lib folder. This all went ok and I can see the certificate when I list them using the keytool - list... command. This changed the error response to: ErrorDetail: I/O Exception: Name in certificate `hub' does not match host name `187.141.14.122' My first issue is very common and usually easy to resolve, but the latter has caused a lot of head banging. What I can tell is that it seems to be self signed certificate and feel this might be part of the problem. Any ideas? Regards, Ian. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353955 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: https connection issues using cfhttp
Hi Jeff, I did see something like that suggested somewhere else but think I had misunderstood what I should point to the IP. Now you've said it like that it makes complete sense. That works a treat, connecting ok. Why didn't I post here earlier. :) Really appreciate your help. Regards, Ian. -Original Message- From: Jeff Garza [mailto:j...@garzasixpack.com] Sent: 17 January 2013 15:37 To: cf-talk Subject: re: https connection issues using cfhttp You are going to have to edit your hosts file and create a pointer for hub that directs it to 187.141.14.122. Then when you call the webservice, you'll use https://hub/...; to access it. I've been through this before as well and this should do it after you've imported the certificate from the site. -- Jeff Original Message From: Ian Chapman ian.chap...@melodimedia.co.uk Sent: Thursday, January 17, 2013 8:13 AM To: cf-talk cf-talk@houseoffusion.com Subject: https connection issues using cfhttp Hi Guys, I've been wrestling with a problem calling a SOAP Web Service using cfhttp. The endpoint is an https URL to a server IP, not a host name. We are running MX7. Initially when I tried connecting I got the usual error response from an untrusted authority source: ErrorDetail: I/O Exception: peer not authenticated Usually when this happens we download the certificate (DER format saved as a .cer file) from the site using a browser and add it to the Java SDK truststore using the keytool -import command in the jrun/jre/lib folder. This all went ok and I can see the certificate when I list them using the keytool - list... command. This changed the error response to: ErrorDetail: I/O Exception: Name in certificate `hub' does not match host name `187.141.14.122' My first issue is very common and usually easy to resolve, but the latter has caused a lot of head banging. What I can tell is that it seems to be self signed certificate and feel this might be part of the problem. Any ideas? Regards, Ian. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353956 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: https connection issues using cfhttp
Ok thanks John. I did search before posting but didn't see that. -Original Message- From: John M Bliss [mailto:bliss.j...@gmail.com] Sent: 17 January 2013 15:48 To: cf-talk Subject: Re: https connection issues using cfhttp +1 what Jeff said. Dealt with this same issue here: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:64157 On Thu, Jan 17, 2013 at 9:37 AM, Jeff Garza j...@garzasixpack.com wrote: You are going to have to edit your hosts file and create a pointer for hub that directs it to 187.141.14.122. Then when you call the webservice, you'll use https://hub/...; to access it. I've been through this before as well and this should do it after you've imported the certificate from the site. -- Jeff Original Message From: Ian Chapman ian.chap...@melodimedia.co.uk Sent: Thursday, January 17, 2013 8:13 AM To: cf-talk cf-talk@houseoffusion.com Subject: https connection issues using cfhttp Hi Guys, I've been wrestling with a problem calling a SOAP Web Service using cfhttp. The endpoint is an https URL to a server IP, not a host name. We are running MX7. Initially when I tried connecting I got the usual error response from an untrusted authority source: ErrorDetail: I/O Exception: peer not authenticated Usually when this happens we download the certificate (DER format saved as a .cer file) from the site using a browser and add it to the Java SDK truststore using the keytool -import command in the jrun/jre/lib folder. This all went ok and I can see the certificate when I list them using the keytool - list... command. This changed the error response to: ErrorDetail: I/O Exception: Name in certificate `hub' does not match host name `187.141.14.122' My first issue is very common and usually easy to resolve, but the latter has caused a lot of head banging. What I can tell is that it seems to be self signed certificate and feel this might be part of the problem. Any ideas? Regards, Ian. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353957 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF application ends prematurely in CFHTTP
If I recall there is optipn to throw error on timeout on some tags Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Nov 30, 2012 1:43 AM, Andrew Scott andr...@andyscott.id.au wrote: Well technically a timeout is an error, but it is ColdFusion throwing it because it can't run the page in the specified time, and is still not handled by cftry. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Nov 30, 2012 at 12:30 PM, Russ Michaels r...@michaels.me.uk wrote: A timeout usually results in an error though. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353316 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF application ends prematurely in CFHTTP
I would be guessing this is a page time out, only because there seems to be a number of cfhttp calls going on. I don't think page time outs fall into the same category you're thinking Russ. However I did a bit of research and found the following article by Ben Nadel. http://www.bennadel.com/blog/916-Graceful-ColdFusion-Timeout-Disaster-Recovery-Thanks-Barney-Boisvert-.htm My guess is that one could reset the page time out using this method, so for example if you know that all the cfhttp calls are going to take around 2-3 secs (Just pulling numbers here) then in theory before the loop moves into its next iteration or at the beginning of the loop one could make sure that the page time out is reset to 30 secs. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Nov 30, 2012 at 7:17 PM, Russ Michaels r...@michaels.me.uk wrote: If I recall there is optipn to throw error on timeout on some tags Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353317 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF application ends prematurely in CFHTTP
I would be guessing this is a page time out, only because there seems to be a number of cfhttp calls going on. Right, the time required for the HTTP calls represents a high percentage of the total time in the loop, so chances the time limit occurs during the HTTP are high. But I still don't see why CF cannot throw an error on a time limit in this case. No error is catched, no error is reported and onRequestEnd is not executed. IMO at least ONE of these three should occur. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353318 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF application ends prematurely in CFHTTP
Actually there is a setting in the cfadmin for a pagetodisplay on timeouts. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Nov 30, 2012 3:51 PM, wrote: I would be guessing this is a page time out, only because there seems to be a number of cfhttp calls going on. Right, the time required for the HTTP calls represents a high percentage of the total time in the loop, so chances the time limit occurs during the HTTP are high. But I still don't see why CF cannot throw an error on a time limit in this case. No error is catched, no error is reported and onRequestEnd is not executed. IMO at least ONE of these three should occur. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353319 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF application ends prematurely in CFHTTP
Actually there is a setting in the cfadmin for a pagetodisplay on timeouts. Thanks. Didn't know that. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353320 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF application ends prematurely in CFHTTP
That is news to me... -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Sat, Dec 1, 2012 at 3:00 AM, Russ Michaels r...@michaels.me.uk wrote: Actually there is a setting in the cfadmin for a pagetodisplay on timeouts. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Nov 30, 2012 3:51 PM, wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353321 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm