Well, I've hinted at it as a possible solution a couple times but I lack confidence (ha). Jeff - give it a shot. It's easy and you never know.
-Mark -----Original Message----- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Friday, July 26, 2013 9:18 AM To: cf-talk Subject: Re: issue with cfhttp and client certificates sorry no idea never tried, you would have to try it and see :-) On Fri, Jul 26, 2013 at 3:16 PM, Mark A Kruger <mkru...@cfwebtools.com>wrote: > > Russ, > > Would changing the sys property for unsafe renegotiation allow the JVM to > proceed if this was this issue? > > -Mark > > (I'm thinking of this arg -Dsun.security.ssl.allowUnsafeRenegotiation=true > ) > > -----Original Message----- > From: Russ Michaels [mailto:r...@michaels.me.uk] > Sent: Thursday, July 25, 2013 6:25 PM > To: cf-talk > Subject: Re: issue with cfhttp and client certificates > > > it should be noted that the minimum requirement for certs now is 2048bit, > it is not even possible to generate a cert with less than this with most > CSA's, so perhaps this is the issue, maybe 1024 is not even supported by > java now. > > > On Thu, Jul 25, 2013 at 11:52 PM, Jeff Garza <j...@garzasixpack.com> > wrote: > > > > > The .pfx is a RSA 1024 bit key. Nothing out of the usual. And this > exact > > key worked just fine in a default install of CF9. > > -- > > Jeff > > > > -------- Original Message -------- > > > From: "Jon Clausen" <jon_clau...@silowebworks.com> > > > Sent: Thursday, July 25, 2013 3:29 PM > > > To: "cf-talk" <cf-talk@houseoffusion.com> > > > Subject: Re: issue with cfhttp and client certificates > > > > > > Long shot, but what is the key length on the encryption? Could it be > an > > issue with the encryption capabilities currently set on the new JVM for > > CF10? > > > > > > Explanation: http://www.petefreitag.com/item/803.cfm > > > > > > > > > On Jul 25, 2013, at 4:44 PM, "Jeff Garza" <j...@garzasixpack.com> > wrote: > > > > > > > > > > > Mark, > > > > > > > > On the CF9 Server we're at Java version 1.6.0_17 and the arguments > > from > > > > the CFAdmin look like the following: "-server > > -Dsun.io.useCanonCaches=false > > > > -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch > > > > -Dcoldfusion.rootDir={application.home}/../ > > > > -Dcoldfusion.libPath={application.home}/../lib > > > > -Dcoldfusion.spooltimeout=120". > > > > > > > > On the CF10 server it's at Java version 1.7.0_15 and the args are: > > > > "-server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch > > > > -Dcoldfusion.home={application.home} > > > > -Dcoldfusion.rootDir={application.home} > > > > -Dcoldfusion.libPath={application.home}/lib > > > > -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true > > > > -Dcoldfusion.jsafe.defaultalgo=FIPS186Random > > > > -Dcoldfusion.spooltimeout=120" > > > > > > > > Though, based on the error, I don't think this is a handshake issue. > > It > > > > looks like an issue where the JVM can't even open the certificate > file > > to > > > > pass the public key on to the server. Which is why this is so > strange > > that > > > > CF9 with the older JVM would be able to do it, but the new one can't. > > > > --Jeff > > > > > > > > -------- Original Message -------- > > > >> From: "Mark A Kruger" <mkru...@cfwebtools.com> > > > >> Sent: Thursday, July 25, 2013 1:25 PM > > > >> To: "cf-talk" <cf-talk@houseoffusion.com> > > > >> Subject: RE: issue with cfhttp and client certificates > > > >> > > > >> Jeff, > > > >> > > > >> What JVM version are you using on CF9 and what do the args look > like? > > > >> Sometimes it's a matter of the handshake and levels of TLS/SSL - the > > > > error > > > >> may be not specific enough to tell. You can enable logging to get a > > grip > > > > on > > > >> it though. That would tell you more. > > > >> > > > >> -Mark > > > >> > > > >> > > > >> -----Original Message----- > > > >> From: Jeff Garza [mailto:j...@garzasixpack.com] > > > >> Sent: Thursday, July 25, 2013 12:25 PM > > > >> To: cf-talk > > > >> Subject: issue with cfhttp and client certificates > > > >> > > > >> > > > >> Ok, so here's the issue. A process that was working just fine on > CF9 > > is > > > > > > > >> now broken on CF10. We have a service that we call that requires us > > to > > > >> submit a client certificate to the server. In CF9, this worked just > > > > fine. > > > >> Use the clientcert and clientcertpass attributes of CFHTTP and > you're > > > > good > > > >> to go. It reads the .pfx file fine and everything runs... This is > > not a > > > > > > > >> cacerts issue as you do not have to have the key in the keystore to > > use > > > >> it. > > > >> Forward to CF10, the exact same code and certificates now gives the > > > > error: > > > >> > > > >> "Error while trying to get the SSL client certificate: > > > >> java.security.UnrecoverableKeyException: Could not decrypt key: > Could > > not > > > > > > > >> decode key from BER. (Invalid encoding: expected tag not there. )." > > > >> It's like it's unable to open the .pfx certificate file. > > > >> I know this is a long shot since there are not many folks out there > > using > > > > > > > >> client certs, but has anyone else run across this issue? > > > >> Thanks, > > > >> Jeff Garza > > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356328 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
