RE: CFHTTP, SSL and Certificates (Obligatory Oh My)
Very instructive -Original Message- From: Steven Erat [mailto:[EMAIL PROTECTED] Sent: Thursday, November 02, 2006 4:52 PM To: CF-Talk Subject: RE: CFHTTP, SSL and Certificates (Obligatory Oh My) I tried CFMX 7.02 using the built in 1.4.2_09 JVM and the 1.4.2_11 JVM, but both reported a CFHTTP failure of I/O Exception: peer not authenticated even after I imported the jhu certificate into the cacerts used by the JVM under ColdFusion and verified it with the keytool list output (and of course I restarted CF as well). ColdFusion was successful with https://login.yahoo.com and https://www.google.com, but not with the jhu.edu site. I traced the connections from CFHTTP to watch the events unfold, and I traced my Firefox connection to jhu.edu as well. Here's some screenshots of the traces, although I don't have any conclusions to draw from them yet: a) Trace of Firefox to jhu.edu http://www.talkingtree.com/images/jhu_firefox_server_hello.jpg b) Trace of CF7.02 CFHTTP to jhu.edu http://www.talkingtree.com/images/jhu_trace_server_hello.jpg c) Trace of CF7.02 CFHTTP to yahoo http://www.talkingtree.com/images/yahoo_login_trace.jpg d) Trace of CF7.02 CFHTTP to google http://www.talkingtree.com/images/google_trace.jpg Traces a, c, and d are show a successful exchange, and trace b shows the failure. Traces a and b to jhu.edu show a Client Hello in frame 4 and a Server Hello in frame 6. Trace a then shows firefox sending a Client Master Key to jhu.edu on frame 7, but trace b shows CFMX sending some Encrypted Data followed by a FIN and RST flag back to jhu.edu, thus ending the connection. Trace b goes on to show that CFHTTP tries 3 times, but continues to fail. The there are 6 key types (Cipher specs) in Firefox, and 4 key types in the JVM under CF (shown in the middle of screenshots a and b), although Firefox in frame 7 uses SSL2_RC4_128_WITH_MD5 as the Cipher Spec, which is common to Firefox and CF's JVM. The only other interesting observation is that Yahoo and Google use TLS (the 'new' SSL protocol), and jhu.edu uses SSLv2 which should work. That's all I've got for now... -Steven Erat -Original Message- From: Rob Wilkerson [mailto:[EMAIL PROTECTED] Sent: Thursday, November 02, 2006 11:16 AM To: CF-Talk Subject: Re: CFHTTP, SSL and Certificates (Obligatory Oh My) Sadly, I'm already using the 1.4.2_09 JVM for my CF implementation so I guess this won't help me much. It's a lot to ask, I know, but would someone mind trying to CFHTTP the URI below by following the standard process? https://www.controller.jhu.edu/staff/phone_book/phone_co.jsp I'd like to ensure that it's not my environment. Or, if it is my environment, try to understand why my environment is causing me so many headaches. Thanks. Rob ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:259000 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFHTTP, SSL and Certificates (Obligatory Oh My)
Well that did the trick! I was reluctant to start updating the JVM given nothing had changed (including the third parties certificate) - however I did install a new JVM (1.4.2_09) on the machine *but didn't set ColdFusion to use it* then: - copied the keystore to this new JVM - added the certificate to the keystore - then copied the keystore back to ColdFusion and restarted ColdFusion That did the trick. I'm still bemused as to why it would suddenly stop working? You can download 1.4.2_09 and most JDKs/JVMS from here: http://java.sun.com/products/archive/ Hope that works for you Kola -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 01 November 2006 22:59 To: CF-Talk Subject: RE: CFHTTP, SSL and Certificates (Obligatory Oh My) Hi I came across this post: http://www.talkingtree.com/blog/index.cfm?mode=entryentry=25AA75A4-45A6-284 4-7CA3EECD842DB576 There is possibly a bug with the version of the JVM 1.4.2-b28. I've tried everything except this - which I'll try in the morning when I get back into the office... Let you know how I get on -Original Message- From: Rob Wilkerson [mailto:[EMAIL PROTECTED] Sent: 01 November 2006 16:29 To: CF-Talk Subject: Re: CFHTTP, SSL and Certificates (Obligatory Oh My) On 11/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: What version of CF? MX 7.0.2 What error message are you getting... There is no error message beyond the Status code unavailable error returned by the CFHTTP call. Nothing in any log file. you said other HTTPS sites are working - I'm assuming you mean other cfhttp calls? That's correct. Once I import the cert, I can CFHTTP to several (3) other SSL-enabled URIs. Are there differences in the types of the certificate? Not that I'm aware of. All were exported in the same manner and I didn't notice any difference (although, admittedly, I'm not sure what I'd have been looking for). When you attempt to import the certificate it should confirm that its been added It does. I can list them after importing and, sure enough, they're in place and trusted. ~ ~ ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258809 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFHTTP, SSL and Certificates (Obligatory Oh My)
Thanks, Kola. I'm pretty sure I'm already using 1.4.2_09, but I'll double check when I get to the office. On 11/2/06, Kola Oyedeji (E-mail) [EMAIL PROTECTED] wrote: Well that did the trick! I was reluctant to start updating the JVM given nothing had changed (including the third parties certificate) - however I did install a new JVM (1.4.2_09) on the machine *but didn't set ColdFusion to use it* then: - copied the keystore to this new JVM - added the certificate to the keystore - then copied the keystore back to ColdFusion and restarted ColdFusion That did the trick. I'm still bemused as to why it would suddenly stop working? You can download 1.4.2_09 and most JDKs/JVMS from here: http://java.sun.com/products/archive/ Hope that works for you Kola -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 01 November 2006 22:59 To: CF-Talk Subject: RE: CFHTTP, SSL and Certificates (Obligatory Oh My) Hi I came across this post: http://www.talkingtree.com/blog/index.cfm?mode=entryentry=25AA75A4-45A6-284 4-7CA3EECD842DB576 There is possibly a bug with the version of the JVM 1.4.2-b28. I've tried everything except this - which I'll try in the morning when I get back into the office... Let you know how I get on -Original Message- From: Rob Wilkerson [mailto:[EMAIL PROTECTED] Sent: 01 November 2006 16:29 To: CF-Talk Subject: Re: CFHTTP, SSL and Certificates (Obligatory Oh My) On 11/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: What version of CF? MX 7.0.2 What error message are you getting... There is no error message beyond the Status code unavailable error returned by the CFHTTP call. Nothing in any log file. you said other HTTPS sites are working - I'm assuming you mean other cfhttp calls? That's correct. Once I import the cert, I can CFHTTP to several (3) other SSL-enabled URIs. Are there differences in the types of the certificate? Not that I'm aware of. All were exported in the same manner and I didn't notice any difference (although, admittedly, I'm not sure what I'd have been looking for). When you attempt to import the certificate it should confirm that its been added It does. I can list them after importing and, sure enough, they're in place and trusted. ~ ~ ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258813 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFHTTP, SSL and Certificates (Obligatory Oh My)
On 11/2/06, Kola Oyedeji (E-mail) [EMAIL PROTECTED] wrote: Well that did the trick! I was reluctant to start updating the JVM given nothing had changed (including the third parties certificate) - however I did install a new JVM (1.4.2_09) on the machine *but didn't set ColdFusion to use it* then: - copied the keystore to this new JVM - added the certificate to the keystore - then copied the keystore back to ColdFusion and restarted ColdFusion That did the trick. I'm still bemused as to why it would suddenly stop working? You can download 1.4.2_09 and most JDKs/JVMS from here: http://java.sun.com/products/archive/ Hope that works for you Kola Sadly, I'm already using the 1.4.2_09 JVM for my CF implementation so I guess this won't help me much. It's a lot to ask, I know, but would someone mind trying to CFHTTP the URI below by following the standard process? https://www.controller.jhu.edu/staff/phone_book/phone_co.jsp I'd like to ensure that it's not my environment. Or, if it is my environment, try to understand why my environment is causing me so many headaches. Thanks. Rob ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258856 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFHTTP, SSL and Certificates (Obligatory Oh My)
I tried CFMX 7.02 using the built in 1.4.2_09 JVM and the 1.4.2_11 JVM, but both reported a CFHTTP failure of I/O Exception: peer not authenticated even after I imported the jhu certificate into the cacerts used by the JVM under ColdFusion and verified it with the keytool list output (and of course I restarted CF as well). ColdFusion was successful with https://login.yahoo.com and https://www.google.com, but not with the jhu.edu site. I traced the connections from CFHTTP to watch the events unfold, and I traced my Firefox connection to jhu.edu as well. Here's some screenshots of the traces, although I don't have any conclusions to draw from them yet: a) Trace of Firefox to jhu.edu http://www.talkingtree.com/images/jhu_firefox_server_hello.jpg b) Trace of CF7.02 CFHTTP to jhu.edu http://www.talkingtree.com/images/jhu_trace_server_hello.jpg c) Trace of CF7.02 CFHTTP to yahoo http://www.talkingtree.com/images/yahoo_login_trace.jpg d) Trace of CF7.02 CFHTTP to google http://www.talkingtree.com/images/google_trace.jpg Traces a, c, and d are show a successful exchange, and trace b shows the failure. Traces a and b to jhu.edu show a Client Hello in frame 4 and a Server Hello in frame 6. Trace a then shows firefox sending a Client Master Key to jhu.edu on frame 7, but trace b shows CFMX sending some Encrypted Data followed by a FIN and RST flag back to jhu.edu, thus ending the connection. Trace b goes on to show that CFHTTP tries 3 times, but continues to fail. The there are 6 key types (Cipher specs) in Firefox, and 4 key types in the JVM under CF (shown in the middle of screenshots a and b), although Firefox in frame 7 uses SSL2_RC4_128_WITH_MD5 as the Cipher Spec, which is common to Firefox and CF's JVM. The only other interesting observation is that Yahoo and Google use TLS (the 'new' SSL protocol), and jhu.edu uses SSLv2 which should work. That's all I've got for now... -Steven Erat -Original Message- From: Rob Wilkerson [mailto:[EMAIL PROTECTED] Sent: Thursday, November 02, 2006 11:16 AM To: CF-Talk Subject: Re: CFHTTP, SSL and Certificates (Obligatory Oh My) Sadly, I'm already using the 1.4.2_09 JVM for my CF implementation so I guess this won't help me much. It's a lot to ask, I know, but would someone mind trying to CFHTTP the URI below by following the standard process? https://www.controller.jhu.edu/staff/phone_book/phone_co.jsp I'd like to ensure that it's not my environment. Or, if it is my environment, try to understand why my environment is causing me so many headaches. Thanks. Rob ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258937 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFHTTP, SSL and Certificates (Obligatory Oh My)
Yeh and still struggling with it... :( http://www.houseoffusion.com/groups/CF-Talk/thread.cfm/threadid:48564 What version of CF? What error message are you getting... you said other HTTPS sites are working - I'm assuming you mean other cfhttp calls? Are there differences in the types of the certificate? When you attempt to import the certificate it should confirm that its been added Kola -Original Message- From: Rob Wilkerson [mailto:[EMAIL PROTECTED] Sent: 01 November 2006 13:21 To: CF-Talk Subject: CFHTTP, SSL and Certificates (Obligatory Oh My) Hey all - I'm debugging a customer issue with a CFHTTP call that's reaching out to a secure location with a valid certificate. I've exported the cert (in both base64 and, just to be sure, binary formats) and imported it into cacerts, but it just won't take. Other HTTPS sites work just fine, but I can't get this one to connect. Has anyone else run into a circumstance where importing a cert still doesn't keep the connection from failing? If not, would someone mind trying to connect to the URI below via CFHTTP and let me know whether it works for you? I'm not above admitting that I could easily be screwing up the import process, but I'm at a loss for how I might be doing that since other sites appear to work as expected. The URI I'm trying to import is https://www.controller.jhu.edu/staff/phone_book/phone_co.jsp It can be accessed directly, of course. Thanks very much. Rob Wilkerson ~ ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258700 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFHTTP, SSL and Certificates (Obligatory Oh My)
On 11/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: What version of CF? MX 7.0.2 What error message are you getting... There is no error message beyond the Status code unavailable error returned by the CFHTTP call. Nothing in any log file. you said other HTTPS sites are working - I'm assuming you mean other cfhttp calls? That's correct. Once I import the cert, I can CFHTTP to several (3) other SSL-enabled URIs. Are there differences in the types of the certificate? Not that I'm aware of. All were exported in the same manner and I didn't notice any difference (although, admittedly, I'm not sure what I'd have been looking for). When you attempt to import the certificate it should confirm that its been added It does. I can list them after importing and, sure enough, they're in place and trusted. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258704 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFHTTP, SSL and Certificates (Obligatory Oh My)
Hi I came across this post: http://www.talkingtree.com/blog/index.cfm?mode=entryentry=25AA75A4-45A6-284 4-7CA3EECD842DB576 There is possibly a bug with the version of the JVM 1.4.2-b28. I've tried everything except this - which I'll try in the morning when I get back into the office... Let you know how I get on -Original Message- From: Rob Wilkerson [mailto:[EMAIL PROTECTED] Sent: 01 November 2006 16:29 To: CF-Talk Subject: Re: CFHTTP, SSL and Certificates (Obligatory Oh My) On 11/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: What version of CF? MX 7.0.2 What error message are you getting... There is no error message beyond the Status code unavailable error returned by the CFHTTP call. Nothing in any log file. you said other HTTPS sites are working - I'm assuming you mean other cfhttp calls? That's correct. Once I import the cert, I can CFHTTP to several (3) other SSL-enabled URIs. Are there differences in the types of the certificate? Not that I'm aware of. All were exported in the same manner and I didn't notice any difference (although, admittedly, I'm not sure what I'd have been looking for). When you attempt to import the certificate it should confirm that its been added It does. I can list them after importing and, sure enough, they're in place and trusted. ~ ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258761 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
