Why am I getting handshake error on cfhttp with SSL certificate?

Report · May 27, 2015

We upgraded from CF9 to CF11. We copied the cacerts file to the new server but now am getting handshake failure with cfhttp tag. Spoke with tech on their end. He said he sees the original request come in. They send back their part of handshake and are expecting to see something from us which they are not. Turned on SSL logging and can see the verbiage "valid certificate found". It just appears that for some reason we are not completing the handshake. All we see in logs after clienthello portion, serverhello portion, serverhellodone portion, is I/O exception handshake_failure. Is there anything special in the CF11 upgrade that needs to be done in order to configure for SSL cfhttp tag to work?

Report · Jul 08, 2015

As a follow up, I have tested a Java class that simply does an http post with our cacerts file. This is being done outside of ColdFusion and works successfully. I have put debugging on and see one step in the working CF9 log that is not present in the not working CF11.

As soon as ColdFusion starts up on the working server, I see a reference to keystore listed below:

keystore is: /opt/coldfusion9/runtime/jre/lib/security/cacerts

found key for: ***alias for cert****

then displays the correct certificate for the server.

In the CF11 log which is not working, there is nothing logged at all about the initializing the keystore at all. It almost appears that ColdFusion does not know about the keystore at all.

Further in both of the logs, both have the entry for truststore and adding the trusted certs.

Is there somewhere in a configuration file for CF11 that you identify where/what the keystore file is? I think that is the part that we are missing in our updgrade to CF11. Bottom line is that the truststore is being read on both servers but the keystore is only being read on CF9. Thanks,

Ronnie

Report · Jul 08, 2015

Not sure if this helps but I have not had any compatibility issues between cf9 and cf11 other than the cacerts location is slightly different and the keytool has slightly different syntax. Here is a batch file I use to import certificates:

@ECHO OFF
IF "%1"=="" GOTO Help
IF "%2"=="" GOTO Help

IF NOT EXIST "%1\bin\keytool.exe" GOTO BadPath
IF NOT EXIST "%1\lib\security\cacerts" GOTO BadPath

IF NOT EXIST "%2" GOTO BadCert

IF "%3"=="10" GOTO KeyTool2
IF "%3"=="11" GOTO KeyTool2

:KeyTool1
"%1\bin\keytool.exe" -import -v -alias "%2" -file "%2" -keystore "%1\lib\security\cacerts" -storepass changeit
GOTO End

:KeyTool2
"%1\bin\keytool.exe" -importcert -v -alias "%2" -file "%2" -keystore "%1\lib\security\cacerts" -storepass changeit
GOTO End

:BadPath
ECHO.
ECHO Path not found! This indicates that one or both the following were not found:
ECHO.
ECHO %1\bin\keytool.exe
ECHO %1\lib\security\cacerts
GOTO Help

:BadCert
ECHO.
ECHO Certificate not found!
GOTO Help

:Help
ECHO.
ECHO Syntax: import-cert [keytool] [certificate] [cfversion, optional]
ECHO.
ECHO     jre: Full path to coldfusion jre
ECHO     certificate: certificate.crt
ECHO     cfversion: Optional - 9, 10 or 11 - default 9 -- used to specify keytool version 1.4.2 or greater (CF10 or 11)
ECHO.
ECHO Example CF9:
ECHO   import-cert d:\coldfusion9\runtime\jre example.crt
ECHO.
ECHO Example CF11:
ECHO   import-cert d:\coldfusion11\jre example.crt 11
ECHO.
ECHO.

:End

Report · Jul 11, 2015

Steve, Ron Boy is apparently on Unix. The corresponding paths are something like

/opt/coldfusion11/jre/bin/keytool

/opt/coldfusion11/jre/lib/security/cacerts

Report · Jul 13, 2015

We have solved the problem. It appears that adding the following statements to the jvm.config file corrected it. The best that I can figure is that CF needed to be directed to the keystore file in addition to the truststore file. From my reading, the keystore file contains the certs that the client (us in this case) uses to send to the server to authenticate. This is what we are doing in the case of the cfhttp with an external server. The truststore contains the certs of the servers that we trust. The truststore and keystore can be in the same file but based on the logs, we never saw the keystore being initiated. Once we added the following commands, we saw the keystore being loaded and the cfhttp tag worked perfectly!!! thanks for everyone's help.

-Djavax.net.ssl.keyStore=/opt/coldfusion11/jre/lib/security/cacerts

-Djavax.net.ssl.keyStorePassword=*************

-Djavax.net.ssl.trustStore=/opt/coldfusion11/jre/lib/security/cacerts

-Djavax.net.ssl.trustStorePassword=************

Adobe Community

Why am I getting handshake error on cfhttp with SSL certificate?