ColdFusion 10 - CFHTTP - Random peer not authentic

2019-08-01 12:08发布

问题:

We have 9 ColdFusion 10 servers running version 10,0,13,287689. We've added the correct certificates to the cacerts file for java version being using by ColdFusion. Our CFHTTP SSL calls will work correctly for a while, then suddenly they will start returning peer not authenticated. The will not work agian until the ColdFusion instance is recycled at which point they work until the fail again. There is no information in the coldfusion-out, coldfusion-error, http, or exception ColdFusion logs regarding the failure.

In addition, just because the CFHTTP HTTPS calls begin failing on one ColdFusion instance, doesn’t mean they will fail on the other. Our ColdFusion servers have multiple ColdFusion instances bound to different websites. As such, for example, one instance may give peer not authenticated, and another will work correctly, despite both using the same Java version and cacerts file. Again, recycling the ColdFusion instance that isn't working will resolve the issue and the CFHTTP call will no longer fail with peer not authenticated.

This issue may be related to this: ColdFusion CFHTTP I/O Exception: peer not authenticated - even after adding certs to Keystore

However, I've also tried the steps here to no avail, both the one from Raymond and the one by Peter in the comments: http://www.raymondcamden.com/2011/1/12/Diagnosing-a-CFHTTP-issue--peer-not-authenticated

We've contacted Adobe and they are investigating the issue, but thought I'd see if anyone else has experienced these random CFHTTP SSL failures

回答1:

Adobe support has been absolutely no help. They keep insisting that our certificates are bad or that we do not have our cacerts file setup correctly (despite the fact this worked fine on ColdFusion 9 and will work for some period of time after the ColdFusion instance is recycled).

I ended up working around this issue by interfacing with the java.net.URL library directly using cfobject. When the ColdFusion instance begins failing with peer not authenticated, using java.net.URL still works.

Here's a snippet of code from my cffunction tag (which is in a Custom Tag) which may help anyone else stuck in this situation:

<cfset var urlConnection = createObject("java", "java.net.URL").init("#arguments.requestURL#").openConnection()>
<cfset var inputReader = "">
<cfset var bufferedReader = "">
<cfset urlConnection.setRequestMethod(UCASE(arguments.requestMethod))/>
<cfset urlConnection.setRequestProperty("User-Agent", CGI.HTTP_USER_AGENT)/>
<cfif arguments.requestMethod EQ "POST">
    <cfset urlConnection.setRequestProperty("Content-Type","application/x-www-form-urlencoded")/>
    <cfset urlConnection.setDoOutput(true)/>
    <cfset outputWriter = createObject("java", "java.io.OutputStreamWriter").init(urlConnection.getOutputStream())>
    <cfset outputWriter.write(arguments.requestData)/>
    <cfset outputWriter.close()/>
</cfif>
<cfif ISNULL(urlConnection.getErrorStream()) EQ TRUE>
    <cfset inputReader = createObject("java", "java.io.InputStreamReader").init(urlConnection.getInputStream())>
<cfelse>
    <cfset inputReader = createObject("java", "java.io.InputStreamReader").init(urlConnection.getErrorStream())>
</cfif>

<cfset bufferedReader = createObject("java", "java.io.BufferedReader").init(inputReader)>


回答2:

We have received the same errors on our ColdFusion 10 server when making CFHTTP calls, even after importing the certificate chain for the server we were calling. Then we discovered that there was more than one copy of the cacerts file in the ColdFusion directory tree. After adding the certificates to the other keystores the problem went away.