3 Replies Latest reply: Jan 6, 2011 2:26 PM by Dave Watts RSS

    ColdFusion and SSL is giving me a headache.

    ilssac Community Member
    ilssac Jan 6, 2011 2:06 PM

      I have this simple piece of test code.

       

      <cfhttp url="https://10.104.106.113/index.html" port="4433">
      <cfdump var="#cfhttp#">

       

      As you can see I am just trying to make a simple http request over SSL to another web server.  I just want to confirm connectedness at this time.  Real coding will come later.

       

      I am getting the dreaded peer not authorized error.

      ErrorDetail I/O Exception: peer not authenticated

       

      I understand that this usually means that one need to import a security certificate in the java cacerts keystore.  But I did that some time ago, and there are other applications running that I beleive are using this connections, or at least did in times past.

       

      Running this command on the server making the request I find the expected certificate in the keystore.

       

      $ keytool -list -storepass changeit -noprompt -keystore ../lib/security/cacerts -alias winappdev01
      winappdev01, Jun 22, 2010, trustedCertEntry,
      Certificate fingerprint (MD5): 0F:D5:BC:E0:AD:87:53:ED:C2:CD:2A:83:65:83:F3:DF

       

      That is as far as I understand how to manage certificates.  I have no idea how to test that certificate or in anyway validate it.  Can anybody provide me some pointers on where to go from here?

      • 533 Views
      • Tags:
        • 1. Re: ColdFusion and SSL is giving me a headache.
          ilssac Community Member
          ilssac Jan 6, 2011 2:16 PM (in response to ilssac)

          More information.

           

          I do not know why, but after I wrote the first message I was able to connect to the url in my browser.  This did not work before.

           

          Looking at the information of the certificate in the browser the MD5 hashes seem to match.  Does that not mean the certifice is in the keystore?

          10-104-106-39-cert.gif

          • 2. Re: ColdFusion and SSL is giving me a headache.
            Dave Watts CommunityMVP
            Dave Watts Jan 6, 2011 2:26 PM (in response to ilssac)

            Certificates contain a name (host and domain name, typically) and this name is compared to the URL requested. If they don't match, the certificate will not be honored by the client.

             

            You're requesting a URL using an IP address, not a name. This will not work from a client that requires the name to be valid.

             

            Dave Watts, CTO, Fig Leaf Software

            http://www.figleaf.com/

            http://training.figleaf.com/

            • 3. Re: ColdFusion and SSL is giving me a headache.
              ilssac Community Member
              ilssac Jan 7, 2011 9:43 AM (in response to Dave Watts)

              Actually, as one can see from the certificate shown by the browser in my second post, the common name IN the certificate IS the IP address.

               

              And now, through no concious effort in my part, it is working properly.  The only thing I can think of, is that the self signed certificate on the IIS server had expired as it has been some time since we last played with it.  While stumbling around in the dark, I may have regenerated the certificate for some three years.

               

              But I would really like to know more about managing these things so that I am not stumbling around in the dark!