Copy link to clipboard
Copied
(CF8.01 server with Windows 2008 Server R2 - Java installed in C:\Program Files\Java\jre6)
I have no problems connecting with CFHTTP from a local dev box to one of our domains on a server with SSL. I also have a domain that uses a PayPal API over SSL which appears to be working still. However I've recently tried to integrate with another 3rd party and I can't get it to connect
I receive a peer not authenticating error, as detailed in the link below
Diagnosing a CFHTTP issue - peer not authenticated · Raymond Camden
I tried the fix at the top of Raymonds page but it would not work, it just throw errors. I've been through the thread which at one point led me to an instructional page here Naveen Chhabra's Blog | Just another WordPress.com site which suggested that you take the certificate from the third party server and install it on the CF server. However I struggled with that because it was asking for a keystore password, which I don't know and can't seem to figure out how to set.
The more I read the more complex this appears to get.This page from Oracle gave me a headache keytool-Key and Certificate Management Tool
It's odd how I'm able to use PayPal, and also connect to my other domains on SSL from the dev box, and yet this particular third party won't work.
I'm also concerned that if I install their certificate that once it expires that the function will then fail.
I've read the previous forum posts and can't seem to find a solution, I also seem to be the only person with this issue on CF8, the other reports are CF9 or CF10
Can anybody please help me resolve this issue
Thanks
Mark
Copy link to clipboard
Copied
The default keystore password is simply “changeit” (no quotes).
Sometimes importing the key is the solution. If you do that, there are gotchas. Some key ones are:
- you need to point to the lib\cacerts as found in the JVM folder that CF is pointing to, in the java.home of the jvm.config—it may not be CF’s default jvm, so importing the cert there will do no good.
- you need to run the keytool at a command line that is running as admin (on Windows)
Then again, perhaps you don’t need to import a cert. Perhaps instead you need to update your JVM. Many have found that such SSL/TLS issues are fixed by updating that JVM that CF points to, to Java 8. CF8 runs on Java 1.6 and was never certified even for 7. And CF9 was never certified for 8. But some CF9 users have pointed it to Java 8 and solved such problems.
Updating the JVM CF uses is, on the surface, very easy. A 5-minute job if you know what you’re doing. If you don’t, it can leave you thinking CF is hosed with no choice but to reinstall. That is usually not necessarily. I discuss more in this post:
http://www.carehart.org/blog/client/index.cfm/2014/12/11/help_I_updated_CFs_JVM_and_it_wont_start
Finally, as for why this may be needed for some sites and not others you connect to, it’s often due to the web server of the destination site having changed what SSL/TLS encryption algorithms it will support. Perhaps the sites having trouble have implemented some tighter requirement than those that are working for you.
Let us know if you fix things or learn more.
/charlie
Copy link to clipboard
Copied
Hi Charlie,
Somebody also just pointed out that the password is changeit , that worked.
I imported the cert into the same locations as the Java 1.6 that I am currently using - program files location, which was the same as what CF is pointing to, I checked in the 'i' for information in the CF admin.
It confirmed imported. I stop started CF. Still won't connect.
I then tried the same thing on .xyz Domain Names | Join Generation XYZ , which was the link provided in the instructions that I found above Naveen Chhabra's Blog | Just another WordPress.com site , that would not connect either, after also installing their cert.
I've spent all morning trying to get java 8 to install but it won't, CF8 does not seem to run with it, as soon as I try JVM settings in the admin I get a CF error. I've made sure that it was pointing to the correct folder and I also installed the JDK and pointed to the JRE inside the JDK, both with an without //JRE in the url. I've tried it by changing the jvm.config, and also the URL inside the CF admin with the same results.
Copy link to clipboard
Copied
You may be able to simply enable the desired cipher suites in Java 7 instead, as described here:
ssl - Enable TLSv1.2 and TLS_RSA_WITH_AES_256_CBC_SHA256 Cipher Suite in Java 7 - Stack Overflow
Dave Watts, CTO, Fig Leaf Software
Copy link to clipboard
Copied
Thanks Dave,
I read the link, unfortunately it's a little beyond me. However I'm also only on Java 6. I can't get it to run on 8 or above (could not find a download for 7 anymore)
Copy link to clipboard
Copied
Java 7 is available here:
Java Archive Downloads - Java SE 7
Dave Watts, CTO, Fig Leaf Software
Copy link to clipboard
Copied
Thanks Dave,
I've download v7, installed and pointed the java.home to it (on a dev box with Win10, not server edition), tried the authentication, still not working.
Copy link to clipboard
Copied
Did you also change your jvm.config to contain the arguments listed in the link? You might have to experiment a bit there, and you might want to contact your payment processor to find out specifically what ciphers and protocols you should be using.
Dave Watts, CTO, Fig Leaf Software
Copy link to clipboard
Copied
I did update the jvm.config so the that the java.home=C:\\Program Files\\Java\\jre7
I didn't make any other changes to it.
It's not a payment processor, I'm trying to pull from an API on an ad network, although putting that aside, I can't even connect to .xyz Domain Names | Join Generation XYZ which does not even require any parameters
Copy link to clipboard
Copied
Per the StackOverflow link, you're going to have to add more arguments to java.args to get Java 1.7 to use TLS 1.2 and newer ciphers. Here's an example from that link:
-Dhttps.protocols=TLSv1.2
-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256
I don't know if that cipher is the one you'll have to use, you'll need to check with the provider. But it's an example of how you can specify individual ciphers in Java 1.7.
Dave Watts, CTO, Fig Leaf Software
Copy link to clipboard
Copied
Any idea which file I edit? I had a look in the Java 7 installed folder and can't seem to find anything that looks like a candidate
Copy link to clipboard
Copied
This would be the jvm.config file used by CF.
Dave Watts, CTO, Fig Leaf Software
Copy link to clipboard
Copied
Added, plus also tried an extra line -Ddeployment.security.TLSv1.2=true
Still not working
Copy link to clipboard
Copied
Then, I think you're going to have to go to whoever runs that service and ask them what ciphers and protocols they support.
Dave Watts, CTO, Fig Leaf Software
Copy link to clipboard
Copied
Agreed. I'm dealing with somebody that has to go to their tech, I can't talk direct with them, so I'll see what he can find.
I'm also looking at the potential pain of updating to CF2016 which I believe might resolve the problem in the hope that it does not cause any new ones as it's a bit of a leap from 8 to 2016
Copy link to clipboard
Copied
I've just installed a trial of ColdFusion 2016, and both the links will now connect with no trouble.
I'll have to test some of my sites but if there are no code issues then I think it might be wise to move to a new version.
I believe there's a tool I can use to test it, does anybody know where I find that? Is it built into CF 2016?
CF8 also has me locked down to Windows Server 2008 R2, it won't run on anything higher (as far as I'm aware) so moving to a new version would also give me the ability to move to Windows Server 2016 to take advantage of the latest and greatest IIS and OS. Not to mention the UPDATE button in CF2016 (love that!)
Is there a gotcha?
Thanks
Mark
Copy link to clipboard
Copied
I'd suggest you run that API endpoint past the SSLLabs tester:
SSL Server Test (Powered by Qualys SSL Labs)
and note what versions of TLS it supports. Windows Server 2008 maxes out at TLS 1.0, so if your API endpoint recently disabled TLS 1.0 to comply with upcoming year 2018 PCI compliance mandates, that might be the issue. *edit* Nevermind, I see Microsoft finally relented and issued a patch supporting TLS 1.1 and 1.2 on the older OS.
Make sure the SSLLabs test says that the certificate chain is valid ... I recently had an issue with a 3rd party API and the SSL labs test revealed that their *intermediate* certificate was not installed on their server, and I needed to add that to my local keystore in order for CF11/Windows Server 2012 to connect to it. The vendor denied there was a problem because *browsers* connected fine.
Copy link to clipboard
Copied
Thanks for the feedback, the SSL Labs is very cool, one for the bookmarks.
I relented and went to ColdFusion 2016 and now it works. I had a bit of a time getting CF to recognise the CFM default pages, which was resolved (although I'm not sure what was causing the 2016 installer to mess up, but I did manage to get it working)
Re: Default document not being processed when not included in URL
Thanks
Mark