Skip to main content
P
psybonix
Participant
February 28, 2011
Question

cfhttp not being able to make ssl request.

  • February 28, 2011
  • 1 reply
  • 1553 views

I am having an issue trying to make https request using cfhttp.

The problem I am getting is

I/O Exception: Name in certificate `www.stagingelections.xxx.xxx' does not match host name `elections.xxx.xxx'

However both names are in the certificate that has been imported into the keystore.
As they are in the certificate but it is taking the last one instead

CN = elections.xxx.xxx
CN = admin.elections.xxx.xxx
CN = admin.stagingelections.xxx.xxx
CN = adminelections.xxx.xxx
CN = adminstagingelections.xxx.xxx
CN = stagingelections.xxx.xxx
CN = www.elections.xxx.xxx
CN = www.stagingelections.xxx.xxx

Does anyone know how the keystore works out which URL to authenicate against?

    This topic has been closed for replies.

    1 reply

    12Robots
    12Robots
    Participating Frequently
    February 28, 2011

    There could be a number of things this could be. Some easily resolved, some not so much.

    1. Did you import to the correct keystore?  Numerous times, especially on Windows, I have seen admins import the needed certs to the wrong keystore.

    2. Did you import the entire certificate chain?  This may not be needed, but it doesn't hurt. If you install the CA cert and it still fails, then you might have other issues.

    3. If you are positive you have the right store and that you've installed the entire cert chain, then you might be dealing with one of the certs that ColdFusion has issues with.  More specifically, it is the RSA BSafe Crypto-J library included in CF Developer edition and CF Enterprise that seems to have the issue. For some reason, that provider has a problem with certain keystores.

    If you are using CF Standard, I do not think this problem will affect you and it is likely one of the other issues.

    You can read more about this issue and about a temporary work around here: http://cfbugs.adobe.com/cfbugreport/flexbugui/cfbugtracker/main.html?#bugId=85815

    NOTE: The work around outlined there removes the RSA BSafe Crypto-J Library, which removes ColdFusion's FIPS-140 compliance. If you don't care about FIPS-140 compliance, then you should be good. The other providers included with JCE/JCA are very good and can do just about as much, they are just not certified. IF you remove the RSA Provider the next one CF will use is the Sun provider.

    To remove the provider, you would do this before your CFHTTP Call:

    <cfset objSecurity = createObject("java", "java.security.Security") />

    <cfset storeProvider = objSecurity.getProvider("JsafeJCE") />

    <cfset dhKeyAgreement = storeProvider.getProperty("KeyAgreement.DiffieHellman")>

    <!--- dhKeyAgreement=com.rsa.jsafe.provider.JSA_DHKeyAgree  --->

    <cfset storeProvider.remove("KeyAgreement.DiffieHellman")>

    <!--- Do your http call, but pack the key agreement if you want to. If you don't plan to put the keyback, then you can simply do the above onApplicationStart().  --->

    <cfset storeProvider.put("KeyAgreement.DiffieHellman", dhKeyAgreement)>

    P
    psybonixAuthor
    Participant
    February 28, 2011

    Thank you for your response.

    The certificate is using the  "PKCS #1 RSA Encryption"  encryption.

    I have imported it on my development machine which is CF Developer edition and our production machine is CF Enterprise. When i imported it into my development server I created a new cacert file which only has this certificate in it.

    I will pass this info on to the server guys to see if the encription is the problem.

    Cheers again.

    12Robots
    12Robots
    Participating Frequently
    February 28, 2011

    If you created a new cacerts file then you imported into the wrong one.  There is already a cacarts file that CF (Java really) is looking at.  It could be in any number of places depnding on your set up.

    It resides in <runtime>/lib/security/cacerts

    That's where you need to import the cert.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices