CFHTTP, SSL and Certificates (Obligatory "Oh My")
Hey all - I'm debugging a customer issue with a CFHTTP call that's reaching out to a secure location with a valid certificate. I've exported the cert (in both base64 and, just to be sure, binary formats) and imported it into cacerts, but it just won't take. Other HTTPS sites work just fine, but I can't get this one to connect. Has anyone else run into a circumstance where importing a cert still doesn't keep the connection from failing? If not, would someone mind trying to connect to the URI below via CFHTTP and let me know whether it works for you? I'm not above admitting that I could easily be screwing up the import process, but I'm at a loss for how I might be doing that since other sites appear to work as expected. The URI I'm trying to import is https://www.controller.jhu.edu/staff/phone_book/phone_co.jsp It can be accessed directly, of course. Thanks very much. Rob Wilkerson ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258668 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFHTTP, SSL and Certificates (Obligatory "Oh My")
Yeh and still struggling with it... :( http://www.houseoffusion.com/groups/CF-Talk/thread.cfm/threadid:48564 What version of CF? What error message are you getting... you said other HTTPS sites are working - I'm assuming you mean other cfhttp calls? Are there differences in the types of the certificate? When you attempt to import the certificate it should confirm that its been added Kola > -Original Message- > From: Rob Wilkerson [mailto:[EMAIL PROTECTED] > Sent: 01 November 2006 13:21 > To: CF-Talk > Subject: CFHTTP, SSL and Certificates (Obligatory "Oh My") > > Hey all - > > I'm debugging a customer issue with a CFHTTP call that's reaching out > to a secure location with a valid certificate. I've exported the cert > (in both base64 and, just to be sure, binary formats) and imported it > into cacerts, but it just won't take. Other HTTPS sites work just > fine, but I can't get this one to connect. > > Has anyone else run into a circumstance where importing a cert still > doesn't keep the connection from failing? If not, would someone mind > trying to connect to the URI below via CFHTTP and let me know whether > it works for you? I'm not above admitting that I could easily be > screwing up the import process, but I'm at a loss for how I might be > doing that since other sites appear to work as expected. > > The URI I'm trying to import is > https://www.controller.jhu.edu/staff/phone_book/phone_co.jsp > > It can be accessed directly, of course. > > Thanks very much. > > Rob Wilkerson > > ~ > ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258700 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFHTTP, SSL and Certificates (Obligatory "Oh My")
On 11/1/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > What version of CF? MX 7.0.2 > What error message are you getting... There is no error message beyond the "Status code unavailable" error returned by the CFHTTP call. Nothing in any log file. > you said other > HTTPS sites are working - I'm assuming you mean other cfhttp calls? That's correct. Once I import the cert, I can CFHTTP to several (3) other SSL-enabled URIs. > Are > there differences in the types of the certificate? Not that I'm aware of. All were exported in the same manner and I didn't notice any difference (although, admittedly, I'm not sure what I'd have been looking for). > When you attempt to > import the certificate it should confirm that its been added It does. I can list them after importing and, sure enough, they're in place and trusted. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258704 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFHTTP, SSL and Certificates (Obligatory "Oh My")
Hi I came across this post: http://www.talkingtree.com/blog/index.cfm?mode=entry&entry=25AA75A4-45A6-284 4-7CA3EECD842DB576 There is possibly a bug with the version of the JVM 1.4.2-b28. I've tried everything except this - which I'll try in the morning when I get back into the office... Let you know how I get on > -Original Message- > From: Rob Wilkerson [mailto:[EMAIL PROTECTED] > Sent: 01 November 2006 16:29 > To: CF-Talk > Subject: Re: CFHTTP, SSL and Certificates (Obligatory "Oh My") > > On 11/1/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > What version of CF? > > MX 7.0.2 > > > What error message are you getting... > > There is no error message beyond the "Status code unavailable" error > returned by the CFHTTP call. Nothing in any log file. > > > you said other > > HTTPS sites are working - I'm assuming you mean other cfhttp calls? > > That's correct. Once I import the cert, I can CFHTTP to several (3) > other SSL-enabled URIs. > > > Are > > there differences in the types of the certificate? > > Not that I'm aware of. All were exported in the same manner and I > didn't notice any difference (although, admittedly, I'm not sure what > I'd have been looking for). > > > When you attempt to > > import the certificate it should confirm that its been added > > It does. I can list them after importing and, sure enough, they're in > place and trusted. > > ~ > ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258761 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFHTTP, SSL and Certificates (Obligatory "Oh My")
Well that did the trick! I was reluctant to start updating the JVM given nothing had changed (including the third parties certificate) - however I did install a new JVM (1.4.2_09) on the machine *but didn't set ColdFusion to use it* then: - copied the keystore to this new JVM - added the certificate to the keystore - then copied the keystore back to ColdFusion and restarted ColdFusion That did the trick. I'm still bemused as to why it would suddenly stop working? You can download 1.4.2_09 and most JDKs/JVMS from here: http://java.sun.com/products/archive/ Hope that works for you Kola > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 01 November 2006 22:59 > To: CF-Talk > Subject: RE: CFHTTP, SSL and Certificates (Obligatory "Oh My") > > Hi > > I came across this post: > > http://www.talkingtree.com/blog/index.cfm?mode=entry&entry=25AA75A4-45A6-284 > 4-7CA3EECD842DB576 > > There is possibly a bug with the version of the JVM 1.4.2-b28. I've tried > everything except this - which I'll try in the morning when I get back into > the office... > > Let you know how I get on > > > > -Original Message- > > From: Rob Wilkerson [mailto:[EMAIL PROTECTED] > > Sent: 01 November 2006 16:29 > > To: CF-Talk > > Subject: Re: CFHTTP, SSL and Certificates (Obligatory "Oh My") > > > > On 11/1/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> > wrote: > > > > > > What version of CF? > > > > MX 7.0.2 > > > > > What error message are you getting... > > > > There is no error message beyond the "Status code unavailable" error > > returned by the CFHTTP call. Nothing in any log file. > > > > > you said other > > > HTTPS sites are working - I'm assuming you mean other cfhttp calls? > > > > That's correct. Once I import the cert, I can CFHTTP to several (3) > > other SSL-enabled URIs. > > > > > Are > > > there differences in the types of the certificate? > > > > Not that I'm aware of. All were exported in the same manner and I > > didn't notice any difference (although, admittedly, I'm not sure what > > I'd have been looking for). > > > > > When you attempt to > > > import the certificate it should confirm that its been added > > > > It does. I can list them after importing and, sure enough, they're in > > place and trusted. > > > > > ~ > > > > ~ > ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258809 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFHTTP, SSL and Certificates (Obligatory "Oh My")
Thanks, Kola. I'm pretty sure I'm already using 1.4.2_09, but I'll double check when I get to the office. On 11/2/06, Kola Oyedeji (E-mail) <[EMAIL PROTECTED]> wrote: > Well that did the trick! > > I was reluctant to start updating the JVM given nothing had changed > (including the third parties certificate) - however I did install a new JVM > (1.4.2_09) on the machine *but didn't set ColdFusion to use it* then: > > - copied the keystore to this new JVM > - added the certificate to the keystore > - then copied the keystore back to ColdFusion and restarted ColdFusion > > That did the trick. I'm still bemused as to why it would suddenly stop > working? > > You can download 1.4.2_09 and most JDKs/JVMS from here: > > http://java.sun.com/products/archive/ > > Hope that works for you > > Kola > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: 01 November 2006 22:59 > > To: CF-Talk > > Subject: RE: CFHTTP, SSL and Certificates (Obligatory "Oh My") > > > > Hi > > > > I came across this post: > > > > > http://www.talkingtree.com/blog/index.cfm?mode=entry&entry=25AA75A4-45A6-284 > > 4-7CA3EECD842DB576 > > > > There is possibly a bug with the version of the JVM 1.4.2-b28. I've tried > > everything except this - which I'll try in the morning when I get back > into > > the office... > > > > Let you know how I get on > > > > > > > -Original Message- > > > From: Rob Wilkerson [mailto:[EMAIL PROTECTED] > > > Sent: 01 November 2006 16:29 > > > To: CF-Talk > > > Subject: Re: CFHTTP, SSL and Certificates (Obligatory "Oh My") > > > > > > On 11/1/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> > > wrote: > > > > > > > > What version of CF? > > > > > > MX 7.0.2 > > > > > > > What error message are you getting... > > > > > > There is no error message beyond the "Status code unavailable" error > > > returned by the CFHTTP call. Nothing in any log file. > > > > > > > you said other > > > > HTTPS sites are working - I'm assuming you mean other cfhttp calls? > > > > > > That's correct. Once I import the cert, I can CFHTTP to several (3) > > > other SSL-enabled URIs. > > > > > > > Are > > > > there differences in the types of the certificate? > > > > > > Not that I'm aware of. All were exported in the same manner and I > > > didn't notice any difference (although, admittedly, I'm not sure what > > > I'd have been looking for). > > > > > > > When you attempt to > > > > import the certificate it should confirm that its been added > > > > > > It does. I can list them after importing and, sure enough, they're in > > > place and trusted. > > > > > > > > ~ > > > > > > > ~ > > > > ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258813 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFHTTP, SSL and Certificates (Obligatory "Oh My")
On 11/2/06, Kola Oyedeji (E-mail) <[EMAIL PROTECTED]> wrote: > Well that did the trick! > > I was reluctant to start updating the JVM given nothing had changed > (including the third parties certificate) - however I did install a new JVM > (1.4.2_09) on the machine *but didn't set ColdFusion to use it* then: > > - copied the keystore to this new JVM > - added the certificate to the keystore > - then copied the keystore back to ColdFusion and restarted ColdFusion > > That did the trick. I'm still bemused as to why it would suddenly stop > working? > > You can download 1.4.2_09 and most JDKs/JVMS from here: > > http://java.sun.com/products/archive/ > > Hope that works for you > > Kola Sadly, I'm already using the 1.4.2_09 JVM for my CF implementation so I guess this won't help me much. It's a lot to ask, I know, but would someone mind trying to CFHTTP the URI below by following the "standard" process? https://www.controller.jhu.edu/staff/phone_book/phone_co.jsp I'd like to ensure that it's not my environment. Or, if it is my environment, try to understand why my environment is causing me so many headaches. Thanks. Rob ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258856 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFHTTP, SSL and Certificates (Obligatory "Oh My")
I tried CFMX 7.02 using the built in 1.4.2_09 JVM and the 1.4.2_11 JVM, but both reported a CFHTTP failure of "I/O Exception: peer not authenticated" even after I imported the jhu certificate into the cacerts used by the JVM under ColdFusion and verified it with the keytool list output (and of course I restarted CF as well). ColdFusion was successful with https://login.yahoo.com and https://www.google.com, but not with the jhu.edu site. I traced the connections from CFHTTP to watch the events unfold, and I traced my Firefox connection to jhu.edu as well. Here's some screenshots of the traces, although I don't have any conclusions to draw from them yet: a) Trace of Firefox to jhu.edu http://www.talkingtree.com/images/jhu_firefox_server_hello.jpg b) Trace of CF7.02 CFHTTP to jhu.edu http://www.talkingtree.com/images/jhu_trace_server_hello.jpg c) Trace of CF7.02 CFHTTP to yahoo http://www.talkingtree.com/images/yahoo_login_trace.jpg d) Trace of CF7.02 CFHTTP to google http://www.talkingtree.com/images/google_trace.jpg Traces a, c, and d are show a successful exchange, and trace b shows the failure. Traces a and b to jhu.edu show a Client Hello in frame 4 and a Server Hello in frame 6. Trace a then shows firefox sending a Client Master Key to jhu.edu on frame 7, but trace b shows CFMX sending some Encrypted Data followed by a FIN and RST flag back to jhu.edu, thus ending the connection. Trace b goes on to show that CFHTTP tries 3 times, but continues to fail. The there are 6 key types (Cipher specs) in Firefox, and 4 key types in the JVM under CF (shown in the middle of screenshots a and b), although Firefox in frame 7 uses SSL2_RC4_128_WITH_MD5 as the Cipher Spec, which is common to Firefox and CF's JVM. The only other interesting observation is that Yahoo and Google use TLS (the 'new' SSL protocol), and jhu.edu uses SSLv2 which should work. That's all I've got for now... -Steven Erat > -Original Message- > From: Rob Wilkerson [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 02, 2006 11:16 AM > To: CF-Talk > Subject: Re: CFHTTP, SSL and Certificates (Obligatory "Oh My") > > Sadly, I'm already using the 1.4.2_09 JVM for my CF implementation so > I guess this won't help me much. > > It's a lot to ask, I know, but would someone mind trying to CFHTTP the > URI below by following the "standard" process? > > https://www.controller.jhu.edu/staff/phone_book/phone_co.jsp > > I'd like to ensure that it's not my environment. Or, if it is my > environment, try to understand why my environment is causing me so > many headaches. > > Thanks. > > Rob > ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258937 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFHTTP, SSL and Certificates (Obligatory "Oh My")
Very instructive -Original Message- From: Steven Erat [mailto:[EMAIL PROTECTED] Sent: Thursday, November 02, 2006 4:52 PM To: CF-Talk Subject: RE: CFHTTP, SSL and Certificates (Obligatory "Oh My") I tried CFMX 7.02 using the built in 1.4.2_09 JVM and the 1.4.2_11 JVM, but both reported a CFHTTP failure of "I/O Exception: peer not authenticated" even after I imported the jhu certificate into the cacerts used by the JVM under ColdFusion and verified it with the keytool list output (and of course I restarted CF as well). ColdFusion was successful with https://login.yahoo.com and https://www.google.com, but not with the jhu.edu site. I traced the connections from CFHTTP to watch the events unfold, and I traced my Firefox connection to jhu.edu as well. Here's some screenshots of the traces, although I don't have any conclusions to draw from them yet: a) Trace of Firefox to jhu.edu http://www.talkingtree.com/images/jhu_firefox_server_hello.jpg b) Trace of CF7.02 CFHTTP to jhu.edu http://www.talkingtree.com/images/jhu_trace_server_hello.jpg c) Trace of CF7.02 CFHTTP to yahoo http://www.talkingtree.com/images/yahoo_login_trace.jpg d) Trace of CF7.02 CFHTTP to google http://www.talkingtree.com/images/google_trace.jpg Traces a, c, and d are show a successful exchange, and trace b shows the failure. Traces a and b to jhu.edu show a Client Hello in frame 4 and a Server Hello in frame 6. Trace a then shows firefox sending a Client Master Key to jhu.edu on frame 7, but trace b shows CFMX sending some Encrypted Data followed by a FIN and RST flag back to jhu.edu, thus ending the connection. Trace b goes on to show that CFHTTP tries 3 times, but continues to fail. The there are 6 key types (Cipher specs) in Firefox, and 4 key types in the JVM under CF (shown in the middle of screenshots a and b), although Firefox in frame 7 uses SSL2_RC4_128_WITH_MD5 as the Cipher Spec, which is common to Firefox and CF's JVM. The only other interesting observation is that Yahoo and Google use TLS (the 'new' SSL protocol), and jhu.edu uses SSLv2 which should work. That's all I've got for now... -Steven Erat > -Original Message- > From: Rob Wilkerson [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 02, 2006 11:16 AM > To: CF-Talk > Subject: Re: CFHTTP, SSL and Certificates (Obligatory "Oh My") > > Sadly, I'm already using the 1.4.2_09 JVM for my CF implementation so > I guess this won't help me much. > > It's a lot to ask, I know, but would someone mind trying to CFHTTP the > URI below by following the "standard" process? > > https://www.controller.jhu.edu/staff/phone_book/phone_co.jsp > > I'd like to ensure that it's not my environment. Or, if it is my > environment, try to understand why my environment is causing me so > many headaches. > > Thanks. > > Rob > ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:259000 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
