Closed Bug 82997 (SSL)
Submitted By: Jeremy Moore on Fri May 21 2010
When trying to make HTTPS call, I am getting a "Could not generate secret" error in the ssl debug (adding javax.net.debug=ssl to JVM parameters) This is to a DISA.MIL address inside DoD. I have created a simple Java class and use the same runtime and carcerts file as CF and can make the call just fine (taking CF out of the loop, but think it may be a problem with the certs). I have also called the java.net.URL directly in the cfm page and it fails with the same error.Calls to other DoD and commercial HTTPS urls work fine.
Vote From Brian FitzGerald on Thu Jun 23 2011
Vote From Brian Ghidinelli on Fri Sep 10 2010
I am experiencing the same underlying TLS failure that Jeremy is. Here's code that does not work and returns the dreaded i/o peer not authenticated failure: <cfhttp url="https://pukkasoftware.batchbook.com/service/people.xml" method="get" username="x" password="x" charset="UTF-8" timeout="30" throwonerror="no" /> <cfdump var="#cfhttp#" /> Adding Jeremy's jsafe removal allows the code to work successfully. I have tested this and it fails on: CF8.0.1/Windows CF9/Windows CF8.0.1/Linux It does NOT fail on CF7/Linux. This particular SSL certificate is a wildcard with a chain of four certs; importing all four of the certificates into the keystore does not fix the situation. Many people on CFGURU tried and could not get it to work either; the only fix to date that has worked is to remove jsafe per Jeremy's code.
Vote From Christian Hofstätter on Mon Nov 14 2011
Vote From Anthony Cole on Thu Nov 18 2010
Having exact same issue w/ a godaddy wildcard certificate. Adding all the chained certificates to the keystore does not fix the issue. Issue does not exist on CF7
Vote From Erik Cussimano on Sat Apr 30 2011
Vote From Ellis Wood on Wed Jun 22 2011
Vote From Jon Hirschi on Tue Sep 20 2011
spent quite a while working with this issue as well. it's preventing us from connecting to a rest api that we need access to.
Vote From Paul Dynan on Tue May 31 2011
Vote From Peter Freitag on Mon Sep 13 2010
Vote From Rachit Arora on Wed Sep 21 2011
Vote From Rob Sherman on Tue Sep 20 2011
Vote From Sami Hoda on Fri Apr 29 2011
Spent all day trying to fix this issue. Its a major pain.
Comment By Jeremy Moore on Fri May 21 2010
Additionally... For the SSL debug output, the keys listed identical expect of the pure Java test that works the cert lists "Key: Sun RSA public key, 2048 bits" and a modulus and public exponent. While the CF version has "Key: com.rsa.jsafe.provider.JSA_RSAPublicKey@102756d" and does NOT have the modulus and exponent listed.
Comment By Jeremy Moore on Wed May 26 2010
OK, for this issue, it looks like it is the JSafe security provider in CF that is causing the issue. I do not know why. I can use a bit of Java to remove the provider before doing the http call and it works, but this is a system wide change and could affect other stuff... <cfset objSecurity = createObject("java", "java.security.Security")> <cfset objSecurity.removeProvider("JsafeJCE")> To see a list of all providers, you can use the code below. You could also just cfdump the entire array and get lots of other details... <cfset allProviders = objSecurity.getProviders()> <hr> <cfloop array="#allProviders#" index="thisProvider"> <cfoutput>[#thisProvider.getName()#]<br> [#thisProvider.getInfo()#]</cfoutput> <hr> </cfloop>
Comment By Brian Ghidinelli on Fri Sep 10 2010
Here is a full debug using -Djavax.net.ssl=debug while trying to connect to my https://pukkasoftware.batchbook.com example: *** Found trusted certificate: [ [ Version: V3 Subject: CN=*.batchbook.com, OU=BatchBook, O=BatchBlue Software LLC, L=Barrington, ST=Rhode Island, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: com.rsa.jsafe.provider.JSA_RSAPublicKey@e1e2f1 Validity: [From: Tue Mar 16 17:00:00 PDT 2010, To: Wed Jul 13 16:59:59 PDT 2011] Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc,C=US SerialNumber: [ 0173e283 d39b4920 b423e955 7617477d] Certificate Extensions: 9 [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: 1.3.6.1.5.5.7.48.1 accessLocation: URIName: http://ocsp.digicert.com, accessMethod: 1.3.6.1.5.5.7.48.2 accessLocation: URIName: http://www.digicert.com/CACerts/DigiCertHighAssuranceCA-3.crt] ] [2]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: *.batchbook.com DNSName: batchbook.com ] [3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 50 EA 73 89 DB 29 FB 10 8F 9E E5 01 20 D4 DE 79 P.s..)...... ..y 0010: 99 48 83 F7 .H.. ] ] [4]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: B6 FE 14 33 B9 92 DC E2 50 4A 7F ED 93 CC 08 69 ...3....PJ.....i 0010: 5D FF 39 55 ].9U ] ] [5]: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.16.840.1.114412.1.3.0.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 2E 68 74 74 70 3A 2F 2F 77 77 77 2E 64 69 67 ..http://www.dig 0010: 69 63 65 72 74 2E 63 6F 6D 2F 73 73 6C 2D 63 70 icert.com/ssl-cp 0020: 73 2D 72 65 70 6F 73 69 74 6F 72 79 2E 68 74 6D s-repository.htm ], PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.2 qualifier: 0000: 30 82 01 56 1E 82 01 52 00 41 00 6E 00 79 00 20 0..V...R.A.n.y. 0010: 00 75 00 73 00 65 00 20 00 6F 00 66 00 20 00 74 .u.s.e. .o.f. .t 0020: 00 68 00 69 00 73 00 20 00 43 00 65 00 72 00 74 .h.i.s. .C.e.r.t 0030: 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 .i.f.i.c.a.t.e. 0040: 00 63 00 6F 00 6E 00 73 00 74 00 69 00 74 00 75 .c.o.n.s.t.i.t.u 0050: 00 74 00 65 00 73 00 20 00 61 00 63 00 63 00 65 .t.e.s. .a.c.c.e 0060: 00 70 00 74 00 61 00 6E 00 63 00 65 00 20 00 6F .p.t.a.n.c.e. .o 0070: 00 66 00 20 00 74 00 68 00 65 00 20 00 44 00 69 .f. .t.h.e. .D.i 0080: 00 67 00 69 00 43 00 65 00 72 00 74 00 20 00 43 .g.i.C.e.r.t. .C 0090: 00 50 00 2F 00 43 00 50 00 53 00 20 00 61 00 6E .P./.C.P.S. .a.n 00A0: 00 64 00 20 00 74 00 68 00 65 00 20 00 52 00 65 .d. .t.h.e. .R.e 00B0: 00 6C 00 79 00 69 00 6E 00 67 00 20 00 50 00 61 .l.y.i.n.g. .P.a 00C0: 00 72 00 74 00 79 00 20 00 41 00 67 00 72 00 65 .r.t.y. .A.g.r.e 00D0: 00 65 00 6D 00 65 00 6E 00 74 00 20 00 77 00 68 .e.m.e.n.t. .w.h 00E0: 00 69 00 63 00 68 00 20 00 6C 00 69 00 6D 00 69 .i.c.h. .l.i.m.i 00F0: 00 74 00 20 00 6C 00 69 00 61 00 62 00 69 00 6C .t. .l.i.a.b.i.l 0100: 00 69 00 74 00 79 00 20 00 61 00 6E 00 64 00 20 .i.t.y. .a.n.d. 0110: 00 61 00 72 00 65 00 20 00 69 00 6E 00 63 00 6F .a.r.e. .i.n.c.o 0120: 00 72 00 70 00 6F 00 72 00 61 00 74 00 65 00 64 .r.p.o.r.a.t.e.d 0130: 00 20 00 68 00 65 00 72 00 65 00 69 00 6E 00 20 . .h.e.r.e.i.n. 0140: 00 62 00 79 00 20 00 72 00 65 00 66 00 65 00 72 .b.y. .r.e.f.e.r 0150: 00 65 00 6E 00 63 00 65 00 2E .e.n.c.e.. ]] ] ] [6]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] [7]: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] [8]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl3.digicert.com/ca3-2010d.crl] , DistributionPoint: [URIName: http://crl4.digicert.com/ca3-2010d.crl] ]] [9]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] ] Algorithm: [SHA1withRSA] Signature: 0000: 2F CB 6A 5B E2 27 2E 8E 82 3C EA 4F 38 E1 BB 1A /.j[.'...<.O8... 0010: 8A 87 97 0D AE 2E EC 8C 7B B0 20 36 6B 56 F2 F6 .......... 6kV.. 0020: E2 3E F8 7F CC B5 D5 FE 70 81 2C B5 11 FB A6 5B .>......p.,....[ 0030: CB 1B 67 6C 95 EE 3B CA 25 89 83 67 80 73 C9 E3 ..gl..;.%..g.s.. 0040: 89 E7 34 3A E0 1B 63 F2 E4 24 12 1E 5A 45 E3 A8 ..4:..c..$..ZE.. 0050: 0E 4B C8 C9 10 F5 01 06 50 C0 0D BD E1 D1 57 74 .K......P.....Wt 0060: 96 34 DD 65 DA DC 1D 12 EE 87 2B AB 83 FB B6 E5 .4.e......+..... 0070: 62 FB C3 49 31 D6 1E F6 22 74 FA 30 C8 61 4D 3B b..I1..."t.0.aM; 0080: 84 9E 91 5C 75 94 BC A4 6C 38 71 11 29 3F E7 CC ...\u...l8q.)?.. 0090: CC B7 A9 99 E3 69 72 2F 49 83 4C 7D 81 3A A0 FC .....ir/I.L..:.. 00A0: E7 3E F2 23 2A A4 A3 AD 5A D5 1E 3B 79 E9 55 CB .>.#*...Z..;y.U. 00B0: 84 97 52 49 BD 0F 2B 36 0F 5F 1C 4F 7F 4D CB 24 ..RI..+6._.O.M.$ 00C0: C7 EC 0F 03 8F C0 AD AD C0 6E A6 F2 FC 96 8E EE .........n...... 00D0: E2 27 4A 15 39 3D E8 66 56 44 95 62 3E 3F 00 5F .'J.9=.fVD.b>?._ 00E0: D4 EE F1 03 C6 0B D9 6A DB 95 54 3A 70 2C B5 AF .......j..T:p,.. 00F0: EA 9B 4A 43 62 24 D3 7D 9E 55 5A 00 B8 6F 73 1D ..JCb$...UZ..os. ] jrpp-1, READ: TLSv1 Handshake, length = 397 *** Diffie-Hellman ServerKeyExchange DH Modulus: { 187, 188, 45, 202, 216, 70, 116, 144, 124, 67, 252, 245, 128, 233 , 207, 219, 217, 88, 163, 245, 104, 180, 45, 75, 8, 238, 212, 235, 15, 179, 80, 76, 108, 3, 2, 118, 231, 16, 128, 12, 92, 203, 186, 168, 146, 38, 20, 197, 190, 236, 165, 101, 165, 253, 241, 210, 135, 162, 188, 4, 155, 230, 119, 128, 96, 233 , 26, 146, 167, 87, 227, 4, 143, 104, 176, 118, 247, 211, 108, 200, 242, 155, 16 5, 223, 129, 220, 44, 167, 37, 236, 230, 98, 112, 204, 154, 80, 53, 216, 206, 20 6, 239, 158, 160, 39, 74, 99, 171, 30, 88, 250, 253, 73, 136, 208, 246, 93, 20, 103, 87, 218, 7, 29, 240, 69, 207, 225, 107, 155 } DH Base: { 2 } Server DH Public Key: { 50, 136, 89, 4, 145, 48, 93, 68, 162, 111, 96, 178, 162 , 51, 136, 84, 150, 56, 100, 20, 40, 129, 99, 144, 134, 202, 71, 110, 20, 203, 1 57, 205, 135, 216, 181, 187, 135, 45, 29, 108, 6, 31, 177, 71, 62, 11, 123, 179, 34, 204, 39, 27, 182, 140, 235, 22, 202, 239, 52, 148, 76, 132, 102, 53, 29, 6, 217, 13, 62, 76, 160, 109, 110, 95, 196, 181, 75, 109, 161, 202, 16, 254, 39, 1 07, 222, 173, 171, 137, 25, 196, 234, 137, 108, 232, 106, 180, 43, 10, 29, 3, 24 6, 81, 79, 38, 3, 187, 100, 2, 123, 164, 80, 66, 170, 79, 242, 125, 39, 110, 223 , 1, 94, 111, 105, 143, 101, 0, 30, 5 } Anonymous jrpp-1, READ: TLSv1 Handshake, length = 4 *** ServerHelloDone *** ClientKeyExchange, DH DH Public key: { 97, 102, 106, 61, 206, 231, 44, 217, 221, 134, 141, 235, 46, 2 52, 53, 48, 9, 188, 190, 135, 165, 221, 138, 77, 184, 115, 120, 198, 23, 10, 194 , 159, 117, 156, 219, 223, 170, 160, 246, 171, 82, 214, 185, 29, 3, 145, 52, 97, 49, 242, 185, 226, 153, 50, 24, 166, 82, 200, 209, 138, 180, 7, 180, 73, 242, 1 98, 196, 88, 111, 79, 120, 245, 209, 86, 125, 255, 198, 186, 253, 210, 35, 250, 72, 36, 247, 113, 125, 6, 181, 221, 150, 115, 45, 8, 0, 5, 185, 141, 19, 242, 21 8, 51, 198, 36, 70, 116, 188, 240, 208, 20, 30, 192, 0, 167, 96, 148, 30, 212, 2 15, 183, 220, 71, 94, 159, 10, 220, 81, 23 } jrpp-1, WRITE: TLSv1 Handshake, length = 134 jrpp-1, handling exception: java.lang.RuntimeException: Could not generate secret jrpp-1, SEND TLSv1 ALERT: fatal, description = internal_error jrpp-1, WRITE: TLSv1 Alert, length = 2 jrpp-1, called closeSocket() jrpp-1, IOException in getSession(): javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate secret