cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Accessing HTTPS via CFHTTP

HugeBob
Community Beginner ,
Jul 30, 2008 Jul 30, 2008
I'm trying to import the public key of a secure site (https) I want to get to via CFHTTP. But, I'm having a lot of difficulty getting this to work. Our CF8 server is on a Unix box (SunOS 5.10). From my Windows XP workstation, I went to the site with IE and retrieved the public key in DER Binary Format and saved it to a *.cer file on the CF server (via Samba share). I then used the keytool to import it into the keystore at /{jrun_root}/jre/lib/security/cacerts. I verified that it was in there with the keytool -list -keystore cacerts command. I then went into the /{jrun_root}/servers/cfusion/SERVER-INF/jrun.xml file and uncommented the jrun.servlet.http.SSLService section and pointed the keyStore and trustStore attributes to the cacerts key store. I restarted CF and received a host of errors all saying:

error No available certificate or key corresponds to the SSL cipher suites which are enabled.

Can anyone lend some guidance here? Could it be that the DER file I'm using originated from a windows box?
2.5K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 4 Replies 4
latest latest Jump to latest reply
Newsgroup_User
LEGEND ,
Jul 30, 2008 Jul 30, 2008
HugeBob wrote:
> I'm trying to import the public key of a secure site (https) I want to get to
> via CFHTTP. But, I'm having a lot of difficulty getting this to work. Our CF8
> server is on a Unix box (SunOS 5.10). From my Windows XP workstation, I went
> to the site with IE and retrieved the public key in DER Binary Format and saved
> it to a *.cer file on the CF server (via Samba share). I then used the keytool
> to import it into the keystore at /{jrun_root}/jre/lib/security/cacerts. I
> verified that it was in there with the keytool -list -keystore cacerts
> command.

So far so good.


> I then went into the /{jrun_root}/servers/cfusion/SERVER-INF/jrun.xml
> file and uncommented the jrun.servlet.http.SSLService section and pointed the
> keyStore and trustStore attributes to the cacerts key store. I restarted CF
> and received a host of errors all saying:
>
> error No available certificate or key corresponds to the SSL cipher suites
> which are enabled.

And this is incorrect. You only need to do this if you are using the
buildin webserver and want to access that webserver directly from your
browser over HTTPS. (And in that case you would need the private key too.)


Undo the changes to jrun.xml, restart CF and try your cfhttp code.

Jochem


--
Jochem van Dieten
Adobe Community Expert for ColdFusion
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
HugeBob
Community Beginner ,
Jul 30, 2008 Jul 30, 2008
In Response To Newsgroup_User
quote:
Originally posted by: Newsgroup User
HugeBob wrote:
> I'm trying to import the public key of a secure site (https) I want to get to
> via CFHTTP. But, I'm having a lot of difficulty getting this to work. Our CF8
> server is on a Unix box (SunOS 5.10). From my Windows XP workstation, I went
> to the site with IE and retrieved the public key in DER Binary Format and saved
> it to a *.cer file on the CF server (via Samba share). I then used the keytool
> to import it into the keystore at /{jrun_root}/jre/lib/security/cacerts. I
> verified that it was in there with the keytool -list -keystore cacerts
> command.

So far so good.


> I then went into the /{jrun_root}/servers/cfusion/SERVER-INF/jrun.xml
> file and uncommented the jrun.servlet.http.SSLService section and pointed the
> keyStore and trustStore attributes to the cacerts key store. I restarted CF
> and received a host of errors all saying:
>
> error No available certificate or key corresponds to the SSL cipher suites
> which are enabled.

And this is incorrect. You only need to do this if you are using the
buildin webserver and want to access that webserver directly from your
browser over HTTPS. (And in that case you would need the private key too.)


Undo the changes to jrun.xml, restart CF and try your cfhttp code.


Jochem,

Since I was getting all those errors during CF start up, I killed it, removed the changes and restarted the server. But, no luck. The template containing the CFHTTP still can't connect.
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Jul 31, 2008 Jul 31, 2008
In Response To Newsgroup_User
HugeBob wrote:
> Since I was getting all those errors during CF start up, I killed it, removed
> the changes and restarted the server. But, no luck. The template containing
> the CFHTTP still can't connect.

Code and complete eror message please :)

Jochem


--
Jochem van Dieten
Adobe Community Expert for ColdFusion
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
HugeBob
Community Beginner ,
Aug 04, 2008 Aug 04, 2008
LATEST
In Response To Newsgroup_User
In looking at the Unix server CF sits on, I noticed that there are two JRE's installed: one in the JRun directory and one that's in the system path. The results of "whereis java" always points to the version not in the JRun install directory. Even if I go into /export/jrun4/jre/bin and try "whereis ./java", I don't get the version used by JRun. So, my question is, does CF actually use the JRE path in the CF Administrator's JVM Details:Java Home or does it use the system path to reach the JRE? If it uses the system path, it will never use the cacerts keystore containing the certs of the servers to be reached via CFHTTP.

Here's the code I'm using. It's a very small test page that collects the users public key in base-64 format, wraps it in XML and posts it to a webservice which returns the attributes (attrib1, attrib2, ...) about the user based on their cert.

<cfset inputXML = "<authenticate><Cert>" & cgi.CERT_SUBJECT & "</Cert><attributes>attrib1,attrib2,attrib3,attrib4,attrib5</attributes></authenticate>">
<cfhttp method="POST" url="https://secwebserv.here" port="443" result="res" timeout="300" throwonerror="no">
<cfhttpparam type="Header" name="Accept-Encoding" value="*">
<cfhttpparam type="Header" name="TE" value="deflate;q=0">
<cfhttpparam type="xml" value="#inputXML#">
</cfhttp>

When I dump the results, I get:
ErrorDetail: I/O Exception: peer not authenticated
Filecontent: Connection Failure
Mimetype: Unable to determine MIME type of file.
Statuscode: Connection Failure. Status code unavailable.
Text: YES
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices