4 Replies Latest reply on Jul 13, 2015 4:10 AM by ronboy30

    Why am I getting handshake error on cfhttp with SSL certificate?

    ronboy30 Level 1


      We upgraded from CF9 to CF11.  We copied the cacerts file to the new server but now am getting handshake failure with cfhttp tag.  Spoke with tech on their end.  He said he sees the original request come in.  They send back their part of handshake and are expecting to see something from us which they are not.  Turned on SSL logging and can see the verbiage "valid certificate found".  It just appears that for some reason we are not completing the handshake.  All we see in logs after clienthello portion, serverhello portion, serverhellodone portion, is I/O exception handshake_failure.  Is there anything special in the CF11 upgrade that needs to be done in order to configure for SSL cfhttp tag to work?

        • 1. Re: Why am I getting handshake error on cfhttp with SSL certificate?
          ronboy30 Level 1

          As a follow up, I have tested a Java class that simply does an http post with our cacerts file.  This is being done outside of ColdFusion and works successfully.  I have put debugging on and see one step in the working CF9 log that is not present in the not working CF11.

           

          As soon as ColdFusion starts up on the working server, I see a reference to keystore listed below:

          keystore is: /opt/coldfusion9/runtime/jre/lib/security/cacerts

           

          found key for:  ***alias for cert****

          then displays the correct certificate for the server.

           

          In the CF11 log which is not working, there is nothing logged at all about the initializing the keystore at all.  It almost appears that ColdFusion does not know about the keystore at all.

           

          Further in both of the logs, both have the entry for truststore and adding the trusted certs.

           

          Is there somewhere in a configuration file for CF11 that you identify where/what the keystore file is?  I think that is the part that we are missing in our updgrade to CF11.  Bottom line is that the truststore is being read on both servers but the keystore is only being read on CF9.  Thanks,

           

          Ronnie


          • 2. Re: Why am I getting handshake error on cfhttp with SSL certificate?
            Steve Sommers Level 4

            Not sure if this helps but I have not had any compatibility issues between cf9 and cf11 other than the cacerts location is slightly different and the keytool has slightly different syntax. Here is a batch file I use to import certificates:

             

            @ECHO OFF
            IF "%1"=="" GOTO Help
            IF "%2"=="" GOTO Help

            IF NOT EXIST "%1\bin\keytool.exe" GOTO BadPath
            IF NOT EXIST "%1\lib\security\cacerts" GOTO BadPath

            IF NOT EXIST "%2" GOTO BadCert

            IF "%3"=="10" GOTO KeyTool2
            IF "%3"=="11" GOTO KeyTool2

            :KeyTool1
            "%1\bin\keytool.exe" -import -v -alias "%2" -file "%2" -keystore "%1\lib\security\cacerts" -storepass changeit
            GOTO End

            :KeyTool2
            "%1\bin\keytool.exe" -importcert -v -alias "%2" -file "%2" -keystore "%1\lib\security\cacerts" -storepass changeit
            GOTO End

            :BadPath
            ECHO.
            ECHO Path not found! This indicates that one or both the following were not found:
            ECHO.
            ECHO %1\bin\keytool.exe
            ECHO %1\lib\security\cacerts
            GOTO Help

            :BadCert
            ECHO.
            ECHO Certificate not found!
            GOTO Help

            :Help
            ECHO.
            ECHO Syntax: import-cert [keytool] [certificate] [cfversion, optional]
            ECHO.
            ECHO     jre: Full path to coldfusion jre
            ECHO     certificate: certificate.crt
            ECHO     cfversion: Optional - 9, 10 or 11 - default 9 -- used to specify keytool version 1.4.2 or greater (CF10 or 11)
            ECHO.
            ECHO Example CF9:
            ECHO   import-cert d:\coldfusion9\runtime\jre example.crt
            ECHO.
            ECHO Example CF11:
            ECHO   import-cert d:\coldfusion11\jre example.crt 11
            ECHO.
            ECHO.

            :End

            • 3. Re: Why am I getting handshake error on cfhttp with SSL certificate?
              BKBK Adobe Community Professional & MVP

              Steve, Ron Boy is apparently on Unix. The corresponding paths are something like

               

              /opt/coldfusion11/jre/bin/keytool

              /opt/coldfusion11/jre/lib/security/cacerts

              • 4. Re: Why am I getting handshake error on cfhttp with SSL certificate?
                ronboy30 Level 1

                We have solved the problem.  It appears that adding the following statements to the jvm.config file corrected it.  The best that I can figure is that CF needed to be directed to the keystore file in addition to the truststore file.  From my reading, the keystore file contains the certs that the client (us in this case) uses to send to the server to authenticate.  This is what we are doing in the case of the cfhttp with an external server.  The truststore contains the certs of the servers that we trust.  The truststore and keystore can be in the same file but based on the logs, we never saw the keystore being initiated.  Once we added the following commands, we saw the keystore being loaded and the cfhttp tag worked perfectly!!!  thanks for everyone's help.

                 

                -Djavax.net.ssl.keyStore=/opt/coldfusion11/jre/lib/security/cacerts

                -Djavax.net.ssl.keyStorePassword=*************

                -Djavax.net.ssl.trustStore=/opt/coldfusion11/jre/lib/security/cacerts

                -Djavax.net.ssl.trustStorePassword=************