Coldfusion 11 - Web Sockets via SSL

Report · Sep 10, 2014

Help!

I can't seem to figure out how to handle WSS (Websockets over SSL). I have a cert that has already been sent/received by verifier. I have a cert and an intermediate cert. I've been looking at documentation and from what I've gathered i need to add the certs to the "keystore". I issued a command like this ->>> D:\CF11\jre\bin\keytool -import -v -alias myCert-cert -file myCert.cer -keystore D:\CF11\jre\lib\security\cacerts -storepass changeit <-- I see the cert is added. And if list the keystore i see the number of certs increased by one. I then enable the SSL WS, use default port (built in server.. not proxied), and point it to the keystore D:\CF11\jre\lib\security\cacerts and for pass i simply use the default changeit.... I've modified my cfcode to have the secure="true" attribute. So I think everything is setup correctly ....but... when i goto the webpage the web socket will try to connect then simply not connect (Firebug says the connection was refused) (The code works fine removing the secure attribute and accessing via http) ... So i guess i'm not sure exactly what i should be doing. Can i use the same cert that I had created via IIS. The cert looks valid. Also further more i see nothing showing up in the log files.. I see a log called WebSocket.log but the size is 0 and nothing is being thrown in the exception log either.. I'm completely confused.

Report · Sep 10, 2014

Hi,

If you are trying to configure WebSocket over SSL using self-signed certificate, then ColdFusion server should also be running over SSL using the same certificate.

To configure ColdFusion server over SSL follow below mentioned steps:

1. Create Keystore:

Keytool -genkey -keyalg RSA -keystore websocket.crt -storepass changeit -alias wss -keypass changeit -validity 365

2. Configure ColdFusion to run over SSL port:

Uncomment "<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />" this section in server.xml file available at <cf_home>/cfusion/runtime/conf.
Change value of "Protocol" attribute from "HTTP/1.1" to "org.apache.coyote.http11.Http11NioProtocol" in the Connector tag.
Add these attributes to above mentioned tag:
1. keystoreFile
2. keystorePass
Save Changes.
Restart ColdFusion service.
Access ColdFusion administrator console using URL: https://127.0.0.1:8443/CFIDE/administrator/index.cfm

3. Configure Websocket to run over SSL port:

Access ColdFusion administrator console.
Navigate to ColdFusion Administrator > Server Settings > WebSocket.
Check "SSL Port" checkbox.
Enter keystore location and password [which we created in step #1 Create Keystore ].
Submit Changes.
Restart ColdFusion service.

4. Create a sample CFML template to verify the configuration.

Application.cfc

component

{

this.name = "sample";

this.wschannels = [{name="demo"}];

}

SAMPLE.cfm

<html>

<head>

<title>Websocket Example</title>

//messagehandler recieves all the messages from websocket

function mycbHandler( messageobj)

{

var message = ColdFusion.JSON.encode(messageobj);

var txt=document.getElementById("myDiv");

txt.innerHTML +=message +"<br>";

}

//openhandler is invoked when socket connection is

function openHandler()

{

var txt=document.getElementById("myDiv");

txt.innerHTML +="open Handler invoked <br>";

}

</script>

</head>

</html>

5. Try to access this CFML template using ColdFusion over SSL port using Chrome web browser or any other browser with debugging capability.

6. In my case, it is Google chrome. Press F12 and navigate to the Network section to check whether websocket request is being served over SSL or not.

If you find any difficulty in following above mentioned steps, you can contact me at nimsharm@adobe.com

Regards,

Nimit

Report · Oct 27, 2014

Hi Nimit,

I am trying to follow the same instructions presented here with little success, I was directed here by my developer who is trying to implement WebSocket over SSL on ColdFusion 11. We are running ColdFusion 11 on Windows Server 2012 and IIS 8. We are using a GoDaddy certificate and not a self-signed certificate, should the process be the same?

Basically, I have used the keytool as described and made the changes in server.xml and restarted the server but I cannot access the page on port 8443 or on just HTTPS. It just says waiting and eventually times out. I can access the regular coldfusion admin on HTTP. Could you please help me troubleshoot this ? I am looking at the logs and cant find anything helpful.

Regards

Prem

Report · Nov 26, 2014

Hi Sharma,

I also sent you a note directly via email (see below). I am having a similar issue to Prem without resolution.

Our CF11 server configuration:

Windows 2012 Server R2

IIS 8

We have a *.balboadigital.com registered RapidSSL certificate installed on our server which resolves to https://dev.balboadigital.com on this particular development box. I've been unable to locate any online resources which would show me how to utilize this certificate for websockets within CF11. Due to this, I was happy to find your reference to try a self-signed certificate. I followed your instructions. Here is the breakdown:

1. I generated the keystore per your instructions which created the websocket.crt file.

2. The CF server XML was uncommented and updated to:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
                keystoreFile="C:\ColdFusion11\jre\bin\websocket.crt" keystorePass="[my password]"/>

3. I restarted the CF11 Application Windows service.

4. The "Use Built-In WebSocket Server" radio button was selected with PORT: 8575 for non-SLL and PORT: 8543 for SSL as defaults. The KeyStore was set to "C:/ColdFusion11/jre/bin/websocket.crt" and the KeyStore Password to "[MyPassword]" and changes posted.

5. I restarted the CF11 Application Windows service.

6. I then ran a test web page: https://dev.balboadigital.com/admin/websocket/index_withssl.cfm (this is live for you to test)

Application.cfc
<CFCOMPONENT>
    <CFSCRIPT>
    this.name = "balboa";
    this.wschannels = [{name="phone"}];
    </CFSCRIPT>
</CFCOMPONENT>
index_withSSL.cfm
<script type="text/javascript">
    function mymessagehandler(atoken)
    {
        if (atoken.data != null) {
            var message = ColdFusion.JSON.encode(atoken.data);
            var txt = document.getElementById("myDiv");
            txt.innerHTML += message + "<br>";
        }
    }
    function publishmessage()
    {
        var msg = document.getElementById("message").value;
        mycfwebsocketobject.publish("phone.4",msg );
    }

</script>
<cfwebsocket name="mycfwebsocketobject" onmessage="mymessagehandler" subscribeto="phone" secure="true">
"Phone" Message: <input id ="message" type="text" > <input type="button" onclick="publishmessage();" value="Publish Message"><br />
<cfdiv id="myDiv"></cfdiv>
The test fails and returns the following from the Google Chrome Console:
WebSocket connection to 'wss://dev.balboadigital.com:8543/cfusion/cfusion' failed: WebSocket opening handshake was canceled

7. The script was copied and modified to eliminate SSL as follows: http://dev.balboadigital.com/admin/websocket/index_nossl.cfm (this is live for you to test)

index_nossl.cfm
<script type="text/javascript">
    function mymessagehandler(atoken)
    {
        if (atoken.data != null) {
            var message = ColdFusion.JSON.encode(atoken.data);
            var txt = document.getElementById("myDiv");
            txt.innerHTML += message + "<br>";
        }
    }
    function publishmessage()
    {
        var msg = document.getElementById("message").value;
        mycfwebsocketobject.publish("phone",msg );
    }

</script>
<cfwebsocket name="mycfwebsocketobject" onmessage="mymessagehandler" subscribeto="phone">
"Phone" Message: <input id ="message" type="text" > <input type="button" onclick="publishmessage();" value="Publish Message"><br />
<cfdiv id="myDiv"></cfdiv>
This test passes and works as expected, but no SSL.

Please advise as our application absolutely requires that SSL is working for us.

Thanks,

Kevin

Report · Jan 16, 2015

Hi everyone, I just want to share this information in case someone else is having problems with ColdFusion 11 and WebSockets through SSL.

We had this issue with this configuration:

- ColdFusion 11 (Update 2)

- IIS 7.5

- Windows Server 2008

- WebApp Running over https

These are some points to consider before getting to know what is wrong.

CF 11 Update 2 seems to have problem using a Keystore different than JKS (We were using PFX keystore file, it doesnt support pkcs12 format),

CF 11 Update 3 seems to break everything about WebSockets through SSL (https://bugbase.adobe.com/index.cfm?event=bug&id=3865461).

When using a Keystore that is not supported (like pfx, or just a crt file) ColdFusion seems to start the WebSockets SSL Service, but when trying to connect it fails in the SSL HandShake when trying to switch protocol from https to wss (secure websocket), you can notice this if you get Error message on console like " SSL HandShake Aborted" , "Connection refused by Server", "OSStatus Error -9806: connection closed via error"(safari), and other similar errors depending on web browser.

When using a self-signed certificate (not working in production) you must add an exception rule to your browser so it can "trust" the certificate used in the configuration.

The KeyStore File must have all the Certificate Chain in order to work in production, this means it must contain:
- Your domain Certificate (Signed by a CA, e.g. GeoTrust, VeriSign, etc).
- The Intermediate Certificate
- The Root Certificate of the Organization who signed your domain Certificate
- The Private Key

How to get this working?

1. First, if you're using a web server like apache or IIS and currently running over https and you want to configure your certificate with coldfusion, the way to know if your certificate (in a keystore) works fine in CF is to configure a Connector with SSL and test the https connection directly to ColdFusion through the SSL port configured in the connector (default is 8443).

How do I create a keystore in JKS format from a cer, crt or pem file?

As I mention before the keystore must have the complete certificate chain. You can find out how here (java - Adding certificate chain to p12(pfx) certificate - Stack Overflow).

Important tip:

If you already have your IIS Running with https you must have a certificate and private key for your site, so you can get a working KeyStore based on this. To make a JKS based on the Certificate used in IIS follow this steps:

- Export a PFX file which contain the Private Key and Certificate (How to export a certificate from Microsoft IIS 7 )

- (optionally) Add the root certificate of your CA to the PFX file

- Convert the PFX file to a JKS Keystore (java - How to convert .pfx file to keystore with private key? - Stack Overflow)

Now to configure the connector you'll have to edit the <cf_root>/cfusion/runtime/conf/server.xml file and add the following configuration:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"

           maxThreads="150" scheme="https" secure="true"

           clientAuth="false" sslProtocol="TLS"

           keystoreFile="/path/to/file/keystore.jks"

           keystorePass="yourKeystorePass"

           keystoreType="JKS" />

2. Restart coldfusion server and load your administrator via the configured port (e.g https://yourdomain.com:8443/CFIDE/administrator) if you manage to load this page without any certificate/security warnings or error thats a good sign and you're almost done.

To be sure if the certificate is correctly configured you can use this online tool writing your site url with the ssl port: SSL Certificate Checker

If everything is okay you'll see something like this in the bottom of the page:

3. If you got to this point now the final step is to configure the KeyStore for SSL WebSockets (Navigate to ColdFusion Administrator > Server Settings > WebSocket.) writing the same KeyStore file Path and Password as in the Server.xml file.

4. Restart ColdFusin server.

Best Regards,

Kevin Lopez

Report · Jul 02, 2017

Hi Guys,

I am running CF2016 on windows server 2008 R2 and using IIS7.5. I am hosting a number of sites on the server.

Recently I purchased a GeoTrust SSL certificate (which was installed by my VPS server host) for one of the websites that I am hosting. The site runs perfectly on https, except for a few pages that use websockets since the browsers require a ssl websocket connection if viewing the page over https. As there is no documentation that I could find on how to implement websocks over SSL in CF2016, I followed the instructions in this thread for CF11, specifically the last post by kevenlopez.

I have followed all the steps but can't seem to get it working:

1. I exported the certificate file (pfx) from IIS and created a .jks keystore from it.

2. I selected the SSL option in the administrator and pointed to the keystore location (C:/ColdFusion2016/jre/bin/geotrust_cert.jks) and entered the password. I also unselected the non-ssl option.

3. I modified the server.xml file to contain the following:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"

maxThreads="150" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS"

keystoreFile="C:\ColdFusion2016\jre\bin\geotrust_cert.jks"

keystorePass="mypassword"

keystoreType="JKS" />

4. I restarted the server.

When I visit the webpage with the websockets, if I f12 and view the console comment, it waits a while and then times out and does not form the connection.

I was wondering if anyone could think of something that I may be doing wrong? Perhaps because I have a domain specific (just for one of my sites) SSL certificate?

I am not very proficient with Coldfusion and any help or links to further relevant resources would be really appreciated. Thanks!, Ryan.

Report · Oct 10, 2018

Hi,

Any luck? I am having same issue with cf2016 but I am using a self signed pfx file that I imported into a jks keystore. All browsers are closing the connection... for example in Chrome I see

'wss://in001204.amcnt.amc.edu:8543/cfusion/cfusion' failed: Error in connection establishment: net::ERR_CONNECTION_CLOSED

Thanks

Gabe

Report · Feb 02, 2021

Where you able to fix this? Im having this same issue.

Report · Oct 10, 2018

Just a question to everyone watching this thread: no one has yet mentioned trying to access such cf websockets by way of configuring the websocket *proxy* feature available for use when calling cf by way of an external web server (apache, iis). (There's a cf admin setting to enablenthis, and a sister tool to the web server configuration tool that enables this websocket proxy setup .)

Wouldn't doing that then alleviate the need to worry about configuring cf for ssl? The ssl/tls communications would be between the client and the web server (iis/apache). The communication between that and cf is then unencrypted (as with all cf processing, not just websockets).

I will admit I've not done it, but i know it's a documented feature added in cf11. See this adobe article for more, including steps and screenshots:

Using WebSocket with ColdFusion 11 | Adobe Developer Connection

If it works out (or not), please do report back here.

/Charlie (troubleshooter, carehart.org)

Report · Feb 02, 2021

Hello Charlie, regarding your last post, I've tried using this proxy method for wss and it setups very easy. The problem is it's not stable. IIS proxy stops responding and drops web socket connections. I havent found a solution to this, it may be related to connection pool size, but been trying different options with no success. So I came back trying to use SSL over coldfusion. No success either.

Report · Feb 02, 2021

Wow, a blast from the past (since my "last post" here was in Oct 2018). So about your observation of instability of the wsproxy, I gather you are still using both IIS and CF11, is that right? And as for the CF11, have you updated the web server configuration (wsconfig) since its original installation? There is nearly always a need to update the wsconfig after most CF updates.

Of course, CF11 has not had any updates since 2019. But I have helped many people since CF10 (in 2012) until now to solve what seemed instability problems in the connection from IIS to CF, which were down to simply updating the connector. Check the isapi_redirect.dll files in all your coldfusion11/config/wsconfig numbered folders. Are they all from 2019 (and have you got CF11 update 19 applied, from June 2019)? If any are from earlier (especially from 2014), that's trouble. They have not been updated and there were indeed bugs in the early connectors.

If that's not the issue (all your isapi_redirect.dll files are from 2019), then the next quesiton would be whether there may be need to tune your connector. And yep, the connection pool size is one facet, but a far more important one (in CF10 and 11) was the need to have a connection_pool_timeout set (in the workers.properties file, of the connector). This was discussed in a post from Adobe in the CF10 and later another and "improved" post in the CF11 timeframe (https://coldfusion.adobe.com/2014/05/coldfusion-11-iis-connector-tuning/). I've been helping people make sense of that post and what needed to be done to resolve problems (thankfully, the CF2016 connector had "better" defaults).

And really, for many, the ONLY change they needed was to have ANY timeout set (the value of 60 proposed in the blog post is indeed what CF2016 and above use by default). The problem with the connector in CF10 and 11 was that there was NO value set for connection_pool_timeout (in the workers.properties) and no ConnectionTimeout set in the server.xml (for the ajp connector) as discussed in that post, and so connections that were no longer in use would NEVER timeout, and that was a key to much seeming "instability" with CF.

Finally, as for your considering going back to the direct connection to the CF (rather than proxying through IIS or Apache), I will note that if you are getting the connection refused or other connection errors mentioned by others over the years here, I notice that no one talks at all about firewalls. If the "ssl port" is setup in the CF Admin web socket page, such as the 8543 shown in the Adobe article referenced in my first comment, then that port needs to be opened in your server's/machine's firewall, if anyone outside of that box will try to access it. I realize that may NOT be the problem some were having, but it's not clear and its worth mentioning.

Very often with things like this, you can find many people on the web commiserating about some problem, and perhaps even getting someone from Adobe to agree there's a "bug", when it may turn out instead that it's some other variable that's impacting things, which might not have been considered. That's what I do in the day to day consulting I do, helping people solve such problems. It's very rare that I can't help someone overcome what seemed a blocker, whether done in forum posts like this, or by direct (shared desktop) assistance.

Let us know if any of this helps get you further with either approach (proxied or not).

/Charlie (troubleshooter, carehart.org)

Report · Feb 02, 2021

Thank you Charlie for your quick response. Actually Im running on CF 2018 Enterprise, unfortunatelly I never found this forum at the moment and I got so frustrated that decided to try again with SSL and avoid the proxy option. Today I updated my server and reactivated proxy connector. It's running ok so far, if find anything will let you know.

Report · Jun 30, 2022

With CF 2021 Enterprise the built-in websocket server was giving grief. Proxy through IIS is working. We'll see how stable it is but so far so good.

Report · Jun 30, 2022

Wow, another 18 months between comments here. 🙂

If it may help you or others, I'll note that the proxying through iis (as setup via cf's wsproxy) does in fact still use "the built-in [cf] websocket server", per se. It's indeed just "proxied through iis" via that mechanism.

But I gather you mean that trying to connect to it DIRECTLY was troublesome for you. And that can happen, for any number of reasons.

FWIW, the same can happen with challenges using the cf built-in web server, which might go away using the iis (or apache) cf web server connector (wsconfig). Again there are various explanations for that.

An interesting thing is that most DO tend to access cf using such a web server, such that many would never encounter such challenges with the built-in web server. But often when starting with we sockets, they instead tend to be shown first only accessing them in cf directly rather than via the proxy.

Just saying your situation is not that unusual, and I hope this perspective on things could help some future reader struggling with the process. 🙂 Hope things continue to go well for you.

/Charlie (troubleshooter, carehart.org)

Adobe Community

Coldfusion 11 - Web Sockets via SSL