CFLDAP socket closed error against SSL

[hofar...@houseoffusion.com]

Here's the weirdness I'm experiencing...

I have a Custom Tag we've been using for years that is called from most
of our applications and authenticates them to a Sun LDAP server.

We are moving to an Active Directory service, and when I attempt to do a
bind against the new system, I get:

An error has occurred while trying to execute query :servername.com:636;
socket closed.

However, if I run that SAME cfldap command in a .cfm file out in a
regular web folder (i.e. not as a Custom Tag under the ColdFusion
directory), it works fine!

I have restarted the server to make sure any old Custom Tag code isn't
somehow cached. I have verified the SSL (636) port is open to the CF
server.

Any ideas on this one? Very confused by this.

Thanks for any feedback!

Dan

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357330

[hofar...@houseoffusion.com]

I take it back... exact same code EXCEPT my code in outside the Custom
Tag folder had excluded the PORT attribute, so I assume it was going to
the non-SSL port and working fine.

Once I added port = "636" to that code, exact same response: socket closed

Again, the LDAPS (636) port is open to the ColdFusion server.

I'm thinking it's an SSL issue. What steps need to be taken to ensure
LDAPS communication works?

Thanks!

Dan

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357331

[hofar...@houseoffusion.com]

What if you wrote it as a function and put it in a CFC?


Robert Harrison
Director of Interactive Services

Austin & Williams
Advertising�I Branding�I�Digital�I�Direct �
125 Kennedy Drive, �Suite 100 ��I �Hauppauge, NY 11788
T 631.231.6600 X 119 ��F 631.434.7022 �
http://www.austin-williams.com

Blog: http://www.austin-williams.com/blog
Twitter: http://www.twitter.com/austin_williams

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357332

[hofar...@houseoffusion.com]

Have u imported the ssl into the key store?

Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357333

[hofar...@houseoffusion.com]

No. How do we do that?

Is it the individual server certificate(s) that we connect to that are
put into the key store?

Or a Certificate Authority certificate we need?

Where is the key store on the CF Server and how do we manipulate it?

Thanks,

Dan

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357334

[hofar...@houseoffusion.com]

easiest solution is to use this
http://certman.riaforge.org/

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357335

[hofar...@houseoffusion.com]

That's only necessary if the certificate from the LDAP server isn't
signed by a known CA. (e.g. it's self-signed.)

If it is, you need to import the LDAP server's public key into your CF
server's java keystore. I wrote up a doc on how to do it a while back:

https://docs.google.com/document/d/12Ef1SwddMh0oO11TS3lt5E8VGiVCsdI8WmYn8qQLW4c/edit?usp=sharing

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357336

[hofar...@houseoffusion.com]

Nice!

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357337

[hofar...@houseoffusion.com]

Okay, so I looked up how to and used the following command syntax:

C:\CFusion\runtime\jre\bin\keytool.exe -import -v -alias aliasname -file
C:\temp\certfile.cer -keystore
C:\CFusion\runtime\jre\lib\security\cacerts -storepass password

which imported successfully (verified with the list command).

Restarted server (in case that is required). Still get socket closed. :-(

I imported *just* the certificate from the server I'm connecting to. Do
I need anything else in there? Like any of the intermediate/chain or
root certs as well?

Should I be importing some sort of combined certificate? Or just
individually import one at a time?

Any help is appreciated.

Thanks,

Dan

On 12/10/2013 2:53 PM, Russ Michaels wrote:

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357338

[hofar...@houseoffusion.com]

Can you connect to it via any other tools on the CF box? If you have
another client that might help determine whether it's a server/network
issue or a CF/Java issue.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357339

[hofar...@houseoffusion.com]

I've connected to the port using telnet and using a port scanner - both
show the port is open.

This is an LDAPS connection (port 636), so a standard web browser, or
curl, etc., won't really work as a client, as far as I know.

Dan

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357340

[hofar...@houseoffusion.com]

you can try ldap browser,
http://www.ldapbrowser.com/download.htm?download=browser


~Mahcsig

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357341

[hofar...@houseoffusion.com]

> That's only necessary if the certificate from the LDAP server isn't
> signed by a known CA. (e.g. it's self-signed.)

... or signed by a root CA that's not in the keystore - this happens
fairly commonly in my experience.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357342

[hofar...@houseoffusion.com]

Used LDAP Browser and it fails with the following message:

CA certificate is not in the server certificate chain

So I've used the keytool to import the all three:

1 - Comodo CA
2 - the intermediate/root cert of the server
3 - the cert of the server itself.

Restarted and it still complains with the above message.

I'm confused as to which cert/s need to be imported using the keytool.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357343

[hofar...@houseoffusion.com]

> Used LDAP Browser and it fails with the following message:
>
> CA certificate is not in the server certificate chain
>
> So I've used the keytool to import the all three:
>
> 1 - Comodo CA
> 2 - the intermediate/root cert of the server
> 3 - the cert of the server itself.
>
> Restarted and it still complains with the above message.
>
> I'm confused as to which cert/s need to be imported using the keytool.

If you're using LDAP Browser to test your AD server, it's going to
give you that error until your AD server has the complete certificate
chain installed. That has nothing to do with CF needing the
certificate(s) installed. I recommend you install the entire
certificate chain there too, just to avoid potential problems.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357348