Cert issue with Java 1.7 vs Java 1.6?

Report · Mar 12, 2013

As part of our Java Update process, I’ve been updating the Java version that our ColdFusion servers (9.0.1 Cumulative Hotfix 4) use from Java 1.6_xx to 1.7_17. Overall, no issues, except… when trying to connect to a couple of internal servers via cfhttp (https).

I have imported the existing certs, (that we have been using successfully with Java 1.6_xx) into the 1.7_17 keystore, and yet I get an “I/O Exception: peer not authenticated” error. This in most cases, implies that the certificate is not valid. However, if I point ColdFusion back to Java 1.6_xx , it the cfhttp call works fine.

My theory is that, for some reason, the certs are not “quite right” and whereas Java 1.6 accepted them, Java 1.7 is more strict in regards to certs.

Has anyone else experienced this, or have some advice?

Thanks in advance...

Report · Oct 25, 2013

No replies since March 12?

Report · Oct 26, 2013

We had the same issue, albeit with CF10 with Java 1.7. The local_policy and US_export_policy JAR files need replacing. You can get them from Oracle (http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html). Our JARs are installed at C:\ColdFusion10\jre\lib\security - yours will be different, but the \lib\security folder is where they'll reside. We stopped ColdFusion, backed up the security folder, and then overwrote the files in that folder with the ones from Oracle, and restarted. CFHTTP with https:// then started to work. Is your certificate a 2048 bit variety btw?

If you can't get it to work try the CFX_HTTP custom tag as a workaround. This worked for us too until we changed the JARs. I'd actually stick with CFX_HTTP if I had the issue again - great custom tag with lots of features and works straight away.

Adobe Community

Cert issue with Java 1.7 vs Java 1.6?