issue with cfhttp and client certificates

209 views
Skip to first unread message

hofar...@houseoffusion.com

unread,
Jul 25, 2013, 1:25:11 PM7/25/13
to ColdFusion Technical Talk

Ok, so here's the issue. A process that was working just fine on CF9 is
now broken on CF10. We have a service that we call that requires us to
submit a client certificate to the server. In CF9, this worked just fine.
Use the clientcert and clientcertpass attributes of CFHTTP and you're good
to go. It reads the .pfx file fine and everything runs... This is not a
cacerts issue as you do not have to have the key in the keystore to use
it.
Forward to CF10, the exact same code and certificates now gives the error:

"Error while trying to get the SSL client certificate:
java.security.UnrecoverableKeyException: Could not decrypt key: Could not
decode key from BER. (Invalid encoding: expected tag not there. )."
It's like it's unable to open the .pfx certificate file.
I know this is a long shot since there are not many folks out there using
client certs, but has anyone else run across this issue?
Thanks,
Jeff Garza




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356316

hofar...@houseoffusion.com

unread,
Jul 25, 2013, 4:24:53 PM7/25/13
to ColdFusion Technical Talk

Jeff,

What JVM version are you using on CF9 and what do the args look like?
Sometimes it's a matter of the handshake and levels of TLS/SSL - the error
may be not specific enough to tell. You can enable logging to get a grip on
it though. That would tell you more.

-Mark
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356317

hofar...@houseoffusion.com

unread,
Jul 25, 2013, 4:44:33 PM7/25/13
to ColdFusion Technical Talk

Mark,

On the CF9 Server we're at Java version 1.6.0_17 and the arguments from
the CFAdmin look like the following: "-server -Dsun.io.useCanonCaches=false
-XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch
-Dcoldfusion.rootDir={application.home}/../
-Dcoldfusion.libPath={application.home}/../lib
-Dcoldfusion.spooltimeout=120".

On the CF10 server it's at Java version 1.7.0_15 and the args are:
"-server -XX:MaxPermSize=192m -XX:+UseParallelGC -Xbatch
-Dcoldfusion.home={application.home}
-Dcoldfusion.rootDir={application.home}
-Dcoldfusion.libPath={application.home}/lib
-Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true
-Dcoldfusion.jsafe.defaultalgo=FIPS186Random
-Dcoldfusion.spooltimeout=120"

Though, based on the error, I don't think this is a handshake issue. It
looks like an issue where the JVM can't even open the certificate file to
pass the public key on to the server. Which is why this is so strange that
CF9 with the older JVM would be able to do it, but the new one can't.
--Jeff
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356318

hofar...@houseoffusion.com

unread,
Jul 25, 2013, 5:02:47 PM7/25/13
to ColdFusion Technical Talk

Weird. I would trial and error a few things. Check the keystore on CF9 with
the "list" function and compare with CF10 ... see if anythings missing that
missed your docs :) Try removing the jsafe setting below. Make sure your
CF install has access to the folder containing the certs and can read them.
Not sure I have anything to add.
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356319

hofar...@houseoffusion.com

unread,
Jul 25, 2013, 5:34:17 PM7/25/13
to ColdFusion Technical Talk

you don;t by any chance have a blank password/no password on the pfx file
do you ?
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356320

hofar...@houseoffusion.com

unread,
Jul 25, 2013, 6:11:25 PM7/25/13
to ColdFusion Technical Talk

No, the .pfx file has a password. What's weird is that we even tried
importing to Windows' key repository and re-exporting as a pfx with a
different password and that file wouldn't work either. It crashed with the
same error. I'm really thinking that this may be a bug in how this new
version of Java and/or Apache handles client certs... I guess I'm off to
Adobe support to see what they have to say about it.

--
Jeff
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356321

hofar...@houseoffusion.com

unread,
Jul 25, 2013, 5:52:32 PM7/25/13
to ColdFusion Technical Talk

Long shot, but what is the key length on the encryption? Could it be an issue with the encryption capabilities currently set on the new JVM for CF10?

Explanation: http://www.petefreitag.com/item/803.cfm
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356322

hofar...@houseoffusion.com

unread,
Jul 25, 2013, 6:47:16 PM7/25/13
to ColdFusion Technical Talk

Good point.

Here is the Java Cryptography Extension (JCE) Unlimited Strength
Jurisdiction Policy Files 7 Download:

http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356323

hofar...@houseoffusion.com

unread,
Jul 25, 2013, 6:52:53 PM7/25/13
to ColdFusion Technical Talk

The .pfx is a RSA 1024 bit key. Nothing out of the usual. And this exact
key worked just fine in a default install of CF9.
--
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356324

hofar...@houseoffusion.com

unread,
Jul 25, 2013, 7:24:56 PM7/25/13
to ColdFusion Technical Talk

it should be noted that the minimum requirement for certs now is 2048bit,
it is not even possible to generate a cert with less than this with most
CSA's, so perhaps this is the issue, maybe 1024 is not even supported by
java now.
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356325

hofar...@houseoffusion.com

unread,
Jul 26, 2013, 10:16:12 AM7/26/13
to ColdFusion Technical Talk

Russ,

Would changing the sys property for unsafe renegotiation allow the JVM to
proceed if this was this issue?

-Mark

(I'm thinking of this arg -Dsun.security.ssl.allowUnsafeRenegotiation=true )

-----Original Message-----
From: Russ Michaels [mailto:ru...@michaels.me.uk]
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356326

hofar...@houseoffusion.com

unread,
Jul 26, 2013, 10:18:08 AM7/26/13
to ColdFusion Technical Talk

sorry no idea never tried, you would have to try it and see :-)
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356327

hofar...@houseoffusion.com

unread,
Jul 26, 2013, 10:26:11 AM7/26/13
to ColdFusion Technical Talk

Well, I've hinted at it as a possible solution a couple times but I lack
confidence (ha). Jeff - give it a shot. It's easy and you never know.

-Mark
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356328

hofar...@houseoffusion.com

unread,
Sep 24, 2013, 5:21:52 AM9/24/13
to ColdFusion Technical Talk

Hi Jeff

>"Error while trying to get the SSL client certificate:
>java.security.UnrecoverableKeyException: Could not decrypt key: Could not
>decode key from BER. (Invalid encoding: expected tag not there. )."

I had the same yesterday. While searching for a solution I came first
along your post here, unfortunately no solution. I found later a blog post
from Jochem where he describes a similar problem but he has a different
error. But as the key point about encoding problem is the same I gave it a
try.
Following the instruction about converting to pem, reordering certs and
convert back to pfx solved the problem for me. (of course you pfx
should contain the full cert chain)

http://jochem.vandieten.net/2008/02/28/cfhttp-and-client-certificates/


Best Regards,
Reto, centinated.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356822
Reply all
Reply to author
Forward
0 new messages