Inspiring

Question

2nd cfhttp hit always fails

Forum|Forum|3 years ago
March 28, 2022
4 replies
904 views

Hi,

Some code that was working perfectly before stopped working. Basically it hits an API and if the API returns a "nextPage" response then we do a CFHTTP hit to the URL contained in "nextPage"

So for example if we hit

https://amc.az1.qualtrics.com/API/v3/users passes

https://amc.az1.qualtrics.com/API/v3/users?offset=100 FAILS

but if I start with

https://amc.az1.qualtrics.com/API/v3/users?offset=100 PASSES

https://amc.az1.qualtrics.com/API/v3/users?offset=200 FAILS

and the error always is

struct

Charset

[empty string]

Errordetail

I/O Exception: peer not authenticated

Filecontent

Connection Failure

Header

[empty string]

Mimetype

Unable to determine MIME type of file.

Responseheader

struct [empty]

Statuscode

Connection Failure. Status code unavailable.

Text

YES

I tried importing the cert into keystore which we never had to do before, and that had no effect. I tried putting a 15 sec wait between cfhttp hits and that also had no effect.

Thanks,

Gabe

This topic has been closed for replies.

BKBK

Community Expert

Suggestion for a solution:

Add the following flags to the java.args property in ColdFusion's jvm.config file (then restart ColdFusion, of course):
```
-Dhttps.protocols="TLSv1.3,TLSv1.2" -Djdk.tls.client.protocols="TLSv1.3,TLSv1.2"
```

Reason:

Go to https://www.ssllabs.com/ and scan the site https://amc.az1.qualtrics.com. ( Alternatively, just open the following URL in the browser: https://www.ssllabs.com/ssltest/analyze.html?d=amc.az1.qualtrics.com )
You will see that amc.az1.qualtrics.com supports TLS 1.3.

W

w49369461

Participating Frequently

We also experianced this issue.

It seemed to be related to TLS1.3

Turns out there was a bug in JRE 11.0.1 which CF is bundled with.

https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8211806

Upgrading to JRE 11.0.14 resolved it for us

Charlie Arehart

Community Expert

Thanks for that update, @w49369461. FWIW, while the original CF 2021 (in Nov 2020) came with 11.0.1, the "refreshed" installer offered since Sep 2021 instead comes with 11.0.11. But this is great news if 11.0.14 would fix this problem, which has hit others.

So first, Gabe (@gabrieldavis321), had you tried Adobe's fix, whatever it was? If not, can you tell us if an update to 11.0.14 helps? (FWIW, I had replied above the day your first posted, asking what your Java version was. There have until now only been responses to Priyank's reply thread.)

And second, for any who may for some reason be unable to update their JVM version, it would seem that another option would be to tell CF (the JVM args underlying it) to not use TLS 1.3. Some may have seen others suggesting this with args like -Djdk.tls.client.protocols=TLSv1.2 (or perhaps adding also 1.1, though since Java 11.0.11 even Java itself no longer allows talking to 1.1 by default).

Of course, a risk of putting in an arg like that and NOT allowing calls to TLS 1.3 means that some day you will need to talk to something that ONLY supports it (and not 1.2), in which case the conneciton would fail. But again I offer this as a stop-gap. If updating to 11.0.14 really solves this problem, great. See the last link for my post on that 11.0.11 update, which includes info to help in updating teh Java used by CF.

Finally, @Priyank Shrivastava., as for the patch you'd referred to, is that something which still would work ok with this 11.0.14 update? Have you confirmed? And does the 11.0.14 correction negate the need of that patch? Either way, is that patch something you can share with others? Might there be a public tracker bug ticket with the fix? Thanks.

/Charlie (troubleshooter, carehart. org)

Charlie Arehart

Community Expert

What Java version is reported by your cf admin? (Don't just go to the command line and do Java - version. That may not be what cf itself is using.)

/Charlie (troubleshooter, carehart. org)