Re: [cfaussie] Re: CFHTTP to invalid SSL host
Thank you all for replying, I feel I should apologize - I can't access gmail during the day at the moment :( @Dale yes one of those would be nice, been trying for years. @Mark True. I don't know why I said browsers. Importing the certificate is not going to help in this case. Or at least I can't find a way to tell the keystore 'hey, this host, with this cert, is okay by me'. After some investigation, I found how the hostname validation is done and it is possible to implement your own hostname to certificate validator. Ref: http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#SettingHostnameVerifier I had great hopes for this utility class below; http://en.wikibooks.org/wiki/WebObjects/Web_Services/How_to_Trust_Any_SSL_Certificate It has exactly what I need: SSLUtilities.trustAllHostnames() I compiled this class and called it from CF but it had no effect. My guess is it's a classloader issue. I'm not quite giving up and I'll try again tomorrow. Perhaps someone more java-nerdy has some ideas? (Mandel I'm looking at you!). Maybe this could/should be done from CFML ... cfhttp verifyHost=false ... / Cheers and thanks again. On 30 June 2010 11:26, Antony Sideropoulos antonysideropou...@gmail.comwrote: Or you could do it directly within CF using this CFAdmin extension: http://certman.riaforge.org/ On Wed, Jun 30, 2010 at 11:21 AM, Pat p...@heypatty.com wrote: http://jxplorer.org/ has a fairly nifty GUI for importing certificates into a truststore. I would think that CF would use the truststore of the JRE/JDK that it sits on. The truststore file that java uses is usually contained in a file called cacerts. Open this up with JXplorer and you'll see a complete list of the trusted certs with the ability to add and delete. On Jun 30, 9:30 am, Barry Chesterman barrychester...@gmail.com wrote: I could be wrong, but I seem to remember seeing something that you can add a certificate as a 'trusted cert' on the coldfusion server that is doing the cfhttp call, so maybe have a google for that too? On Wed, Jun 30, 2010 at 10:19 AM, Mark Mandel mark.man...@gmail.com wrote: I think you're stuck with what Dale is saying, or use keytool to import it into the JDK. Putting an exception into browsers is pretty straight forward. Mark On Tue, Jun 29, 2010 at 7:26 PM, MrBuzzy mrbu...@gmail.com wrote: Dear Brains-trust, I'd like to make a CFHTTP request over SSL to one of our dev servers. The dev server has a normal SSL certificate, from a trusted root authority. However the host name does not match the name registered to the certificate (because it's a dev host). CFHTTP fails to make the connection. Any thoughts on how to achieve this? While I haven't done much googling, I'm thinking about generating an untrusted certificate and using this instead. The downside being the certificate needs to be imported to each JVM and browser, as required. Cheers. -- You received this message because you are subscribed to the Google Groups cfaussie group. To post to this group, send email to cfaus...@googlegroups.com. To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.comcfaussie%2bunsubscr...@googlegroups.com cfaussie%2bunsubscr...@googlegroups.comcfaussie%252bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en. -- E: mark.man...@gmail.com T:http://www.twitter.com/neurotic W:www.compoundtheory.com cf.Objective(ANZ) - Nov 18, 19 - Melbourne Australia http://www.cfobjective.com.au Hands-on ColdFusion ORM Training www.ColdFusionOrmTraining.com -- You received this message because you are subscribed to the Google Groups cfaussie group. To post to this group, send email to cfaus...@googlegroups.com. To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.comcfaussie%2bunsubscr...@googlegroups.com cfaussie%2bunsubscr...@googlegroups.comcfaussie%252bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en. -- You received this message because you are subscribed to the Google Groups cfaussie group. To post to this group, send email to cfaus...@googlegroups.com. To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.comcfaussie%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en. -- You received this message because you are subscribed to the Google Groups cfaussie group. To post to this group, send email to cfaus...@googlegroups.com. To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.comcfaussie%2bunsubscr...@googlegroups.com . For more options, visit this group at
RE: [cfaussie] Re: CFHTTP to invalid SSL host
Under $500 per year, good deal https://www.digicert.com/order/order-1.php?prod=2 Regards Dale Fraser http://dale.fraser.id.au http://cfmldocs.com http://cfmldocs.com/ http://learncf.com http://flexcf.com From: cfaussie@googlegroups.com [mailto:cfaus...@googlegroups.com] On Behalf Of MrBuzzy Sent: Wednesday, 30 June 2010 7:17 PM To: cfaussie@googlegroups.com Subject: Re: [cfaussie] Re: CFHTTP to invalid SSL host Thank you all for replying, I feel I should apologize - I can't access gmail during the day at the moment :( @Dale yes one of those would be nice, been trying for years. @Mark True. I don't know why I said browsers. Importing the certificate is not going to help in this case. Or at least I can't find a way to tell the keystore 'hey, this host, with this cert, is okay by me'. After some investigation, I found how the hostname validation is done and it is possible to implement your own hostname to certificate validator. Ref: http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#Se ttingHostnameVerifier I had great hopes for this utility class below; http://en.wikibooks.org/wiki/WebObjects/Web_Services/How_to_Trust_Any_SSL_Ce rtificate It has exactly what I need: SSLUtilities.trustAllHostnames() I compiled this class and called it from CF but it had no effect. My guess is it's a classloader issue. I'm not quite giving up and I'll try again tomorrow. Perhaps someone more java-nerdy has some ideas? (Mandel I'm looking at you!). Maybe this could/should be done from CFML ... cfhttp verifyHost=false ... / Cheers and thanks again. On 30 June 2010 11:26, Antony Sideropoulos antonysideropou...@gmail.com wrote: Or you could do it directly within CF using this CFAdmin extension: http://certman.riaforge.org/ On Wed, Jun 30, 2010 at 11:21 AM, Pat p...@heypatty.com wrote: http://jxplorer.org/ has a fairly nifty GUI for importing certificates into a truststore. I would think that CF would use the truststore of the JRE/JDK that it sits on. The truststore file that java uses is usually contained in a file called cacerts. Open this up with JXplorer and you'll see a complete list of the trusted certs with the ability to add and delete. On Jun 30, 9:30 am, Barry Chesterman barrychester...@gmail.com wrote: I could be wrong, but I seem to remember seeing something that you can add a certificate as a 'trusted cert' on the coldfusion server that is doing the cfhttp call, so maybe have a google for that too? On Wed, Jun 30, 2010 at 10:19 AM, Mark Mandel mark.man...@gmail.com wrote: I think you're stuck with what Dale is saying, or use keytool to import it into the JDK. Putting an exception into browsers is pretty straight forward. Mark On Tue, Jun 29, 2010 at 7:26 PM, MrBuzzy mrbu...@gmail.com wrote: Dear Brains-trust, I'd like to make a CFHTTP request over SSL to one of our dev servers. The dev server has a normal SSL certificate, from a trusted root authority. However the host name does not match the name registered to the certificate (because it's a dev host). CFHTTP fails to make the connection. Any thoughts on how to achieve this? While I haven't done much googling, I'm thinking about generating an untrusted certificate and using this instead. The downside being the certificate needs to be imported to each JVM and browser, as required. Cheers. -- You received this message because you are subscribed to the Google Groups cfaussie group. To post to this group, send email to cfaus...@googlegroups.com. To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com mailto:cfaussie%2bunsubscr...@googlegroups.com cfaussie%2bunsubscr...@googlegroups.com mailto:cfaussie%252bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en. -- E: mark.man...@gmail.com T:http://www.twitter.com/neurotic W:www.compoundtheory.com cf.Objective(ANZ) - Nov 18, 19 - Melbourne Australia http://www.cfobjective.com.au Hands-on ColdFusion ORM Training www.ColdFusionOrmTraining.com -- You received this message because you are subscribed to the Google Groups cfaussie group. To post to this group, send email to cfaus...@googlegroups.com. To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com mailto:cfaussie%2bunsubscr...@googlegroups.com cfaussie%2bunsubscr...@googlegroups.com mailto:cfaussie%252bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en. -- You received this message because you are subscribed to the Google Groups cfaussie group. To post to this group, send email to cfaus...@googlegroups.com. To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com mailto:cfaussie%2bunsubscr...@googlegroups.com . For more options, visit this group