cfldap and ssl

[Charles Heizer]

Hello,

Is cfldap using secure functional? I'm trying a quick test which works in OpenBD but I keep getting a error saying "The Error Occurred in line 14" ... secure="CFSSL_BASIC"

Thanks,

Charles

[Robert Munn]

I am using cfldap with cfssl_basic and have no problems on Lucee.

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/29fa8ecd-d369-452d-8690-b7a513b0dc8a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Robert Munn]

FYI, on a clean install on my dev system I had to import the self-signed SSL cert for my dev LDAP instance into the cacerts file that Lucee uses. 

[Charles Heizer]

Interesting. I did not try the cacerts file. In OpenBD, and this is not an OpenBD thing but via Tomcat I use the 

CATALINA_OPTS="$CATALINA_OPTS -Djavax.net.ssl.trustStore=/path/to/certStore"

Is the cacerts different than the javax.net.ssl.trustStore?

Thanks,

Charlie

[Robert Munn]

The default keystore in Lucee is here:

./WEB-INF/lib/lucee-server/context/security/cacerts

You should not need to define it in CATALINA_OPTS. Just use keytool to import the certificates you need the application to trust.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/5cc884e3-046f-4a58-90c3-a3c6648a45f6%40googlegroups.com.

[Charles Heizer]

Sweet! Thank you, it now works fine!

By any chance is there a config to reference a different cacerts file?

Thanks,

Charlie

[denstar]

On 2/23/15 2:44 PM, Charles Heizer wrote:
> Sweet! Thank you, it now works fine!
>
> By any chance is there a config to reference a different cacerts file?

File a ticket for it, por favor-- that should be an easy one.

I don't know if these ever got added, but they'd be swell to have as well:

http://docs.oracle.com/javase/7/docs/api/java/net/doc-files/net-properties.html

Mainly http.proxyHost and http.proxyPort I think, and it's been years
since I checked, so they might be in there already, but it came to mind,
since they're handy props too.

FWIW a quick grep didn't see 'em being read anywhere.

-Den

[Jamie Jackson]

Let's not forget the cute GUI cert installer in the server admin: Server Admin > Services > SSL Certificates 

(I only learned about it a couple days ago.)

[Robert Munn]

In my case I needed to import a self-signed cert manually because the name does not resolve correctly.  I think that is a common enough problem that it would be useful for the import function to have a way to upload a cert file.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/5e3ebf6b-b101-4389-bd20-382a466cbf37%40googlegroups.com.

[AJ Mercer]

Can the Lucee Admin SSL installer handled wildcard self-signed certificates?

I keep keep this error (in Lucee [5 express with jre1.8.0_40], Railo 4.2 and ACF 8)

cfhttp

Struct charset string errordetail string Unknown host: peer not authenticated filecontent string Connection Failure header string mimetype string Unable to determine MIME type of file. responseheader Struct statuscode string Connection Failure. Status code unavailable. text boolean true

SSL Certificates from host tyrion.tradecentre.io

Subject	Issuer
EMAILADDRESS=cr...@lwl.com, CN=*.tradecentre.io, OU=Technology, O=LWL Pty Ltd, L=Perth, ST=Western Australia, C=AU	EMAILADDRESS=cr...@lwl.com, CN=*.tradecentre.io, OU=Technology, O=LWL Pty Ltd, L=Perth, ST=Western Australia, C=AU

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAE1_fB4_LmZDP9YZ2%2BMWrz1HGopy0U1d2x%2BDd5f3Fykf1PFFBg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

AJ Mercer
<webonix:net strength="Industrial" /> | <webonix:org community="Open" />
http://twitter.com/webonix

[Robert Munn]

It should be able to handle self-signed certs. You will need to add the certificate authority for your self-signed cert to the Java trusted certificate authority store, so you need to import the public certificate chain for the ca that signed the cert into cacerts.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAPURtC1x3ikgypmkXBOSxM66QC2TQNoeLJroHTQ4AKBk5UGjyw%40mail.gmail.com.

[AJ Mercer]

I think the issue is with the wildcard certificate

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/6B9FD223-E5F9-4E61-ACD1-F0C29FECA85F%40gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Robert Munn]

I may give this a go and see what I can do with it. I’ll let you know.

Robert

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAPURtC0rj7Jw7GCtm9OxJPqSZVkmHJjBs08Y-0g3m_Kf_oh0YQ%40mail.gmail.com.