我目前正在与支付处理商合作。我可以从我们的服务器浏览到支付 URL,因此这不是防火墙问题,但当我尝试使用 CFHTTP 时,我收到 I/O 异常:对等方未经过身份验证。我已下载最新的安全证书并将其安装到 cacerts 密钥库中并重新启动 CF,但仍然遇到相同的错误。我不仅安装了提供商证书,还安装了证书链中的其他 2 个 Verisign 证书颁发机构证书。该证书是较新的 3 类扩展验证证书之一。
以前有人遇到过这个问题并找到解决方案吗?
I'm currently working with a payment processor. I can browse to the payment URL from our server, so it's not a firewall issue, but when I try to use CFHTTP I get a I/O Exception: peer not authenticated. I've downloaded and installed their latest security cert into cacerts keystore and restarted CF and am still getting the same error. Not only have I installed the providers cert, but also the 2 other Verisign certificate authority certs in the certificate chain. The cert is one of the newer Class 3 Extended Validation certs.
Has anybody come across this before and found a solution?
发布评论
评论(8)
我的一位同事在连接到第三方时遇到同样的问题后发现了以下内容。
http://www.coldfusionjedi.com/index.cfm/2011/1/12/Diagnosing-a-CFHTTP-issue--peer-not-authenticatedhttps://www.raymondcamden.com/2011/01/12 /Diagnosing-a-CFHTTP-issue-peer-not-authenticated/
我们使用了页面下方 Pete Freitag 的评论中提供的解决方案。它有效,但我认为应该谨慎使用,因为它涉及动态删除和添加回 JsafeJCE 提供程序的特定属性。
为了存档方便,以下是Pete Freitag评论的原文:
A colleague of mine found the following after experiencing the same issue when connecting to a 3rd party.
http://www.coldfusionjedi.com/index.cfm/2011/1/12/Diagnosing-a-CFHTTP-issue--peer-not-authenticatedhttps://www.raymondcamden.com/2011/01/12/Diagnosing-a-CFHTTP-issue-peer-not-authenticated/
We used the solution provided in the comment by Pete Freitag further down the page. It works, but I think should be used with caution, as it involves dynamically removing and adding back in a particular property of the JsafeJCE provider.
For the sake of archiving, here is the original content of Pete Freitag's comment:
特定于带有现代 ssl 密码的 Web 服务器的 Coldfusion 8:
我在 JDK 1.6.45 上使用 Coldfusion 8,并且遇到了 问题;只给我红色十字而不是图像,并且 cfhttp 无法使用 ssl 连接到本地网络服务器。
我用 Coldfusion 8 重现的测试脚本
给了我一个非常普遍的错误“I/O 异常:对等点未经过身份验证”。
然后,我尝试将服务器的证书(包括根证书和中间证书)添加到 java 密钥库以及 Coldfusion 密钥库中,但没有任何帮助。
然后我调试了问题
并得到了
然后
我想到网络服务器(在我的例子中是apache)具有非常现代的ssl密码并且非常严格(qualys得分a +)并且使用超过1024位的强大的Diffie-Hellman组。显然,coldfusion和java jdk 1.6.45无法管理这个。
旅程的下一步是考虑安装一个替代的 java 安全提供程序,我决定使用 bouncy castle。
另请参见 http://www.itcsolutions.eu/2011/08/22/how-to-use-bouncy-castle-cryptographic-api-in-netbeans-or-eclipse-for -java-jse-projects/
然后我
从 http://www.bouncycastle 下载了该文件。 org/latest_releases.html 并将其安装在
C:\jdk6_45\jre\lib\ext 或者你的 jdk 所在的位置,在 Coldfusion 8 的原始安装中,它将位于 C:\JRun4\jre\lib\ext 下,但我使用位于外部的较新的 jdk (1.6.45) Coldfusion 目录。将 bcprov-ext-jdk15on-156.jar 放在 \ext 目录中非常重要(这花了我大约两个小时和一些头发;-)
然后我编辑了文件 C:\jdk6_45\jre\lib\security\java.security (使用写字板而不是 editor.exe!)并为新提供程序添加一行。之后列表看起来像
(请参阅位置 1 中的新列表),
然后完全重新启动 Coldfusion 服务。
然后你就可以
享受这种感觉了...
当然
多么美好的夜晚,多么美好的白天。希望这会对那里的人有帮助(部分或全部)。如果您有疑问,请发邮件给我 info ...(上面的域名)。
specific to coldfusion 8 with an webserver with modern ssl ciphers:
I use coldfusion 8 on JDK 1.6.45 and had problems with <cfdocument ...> giving me just red crosses instead of images, and also with cfhttp not able to connect to the local webserver with ssl.
my test script to reproduce with coldfusion 8 was
this gave me the quite generic error of " I/O Exception: peer not authenticated."
I then tried to add certificates of the server including root and intermediate certificates to the java keystore and also the coldfusion keystore, but nothing helped.
then I debugged the problem with
and got
and
I then had the idea that the webserver (apache in my case) had very modern ciphers for ssl and is quite restrictive (qualys score a+) and uses strong Diffie-Hellman groups with more than 1024 bits. obviously, coldfusion and java jdk 1.6.45 can not manage this.
Next step in the odyssee was to think of installing an alternative security provider for java, and I decided for bouncy castle.
see also http://www.itcsolutions.eu/2011/08/22/how-to-use-bouncy-castle-cryptographic-api-in-netbeans-or-eclipse-for-java-jse-projects/
I then downloaded the
from http://www.bouncycastle.org/latest_releases.html and installed it under
C:\jdk6_45\jre\lib\ext or where ever your jdk is, in original install of coldfusion 8 it would be under C:\JRun4\jre\lib\ext but I use a newer jdk (1.6.45) located outside the coldfusion directory. it is very important to put the bcprov-ext-jdk15on-156.jar in the \ext directory (this cost me about two hours and some hair ;-)
then I edited the file C:\jdk6_45\jre\lib\security\java.security (with wordpad not with editor.exe!) and put in one line for the new provider. afterwards the list looked like
(see the new one in position 1)
then restart coldfusion service completely.
you can then
and enjoy the feeling...
and of course
<cfhttp and <cfdocument worked like a charm and like before we "hardened" our ssl ciphers in apache!
what a night and what a day. Hopefully this will help (partially or fully) to someone out there. if you have questions, just mail me at info ... (domain above).
您是否将其添加到正确的密钥库中?请记住,ColdFusion 使用它自己的 Java 实例。我曾经花了好几个小时才想起这个事实。你想要的那个位于 /ColdFusion8/runtime/jre/lib/security/ 之类的地方
Did you add it to the correct keystore? Remember that ColdFusion uses it's own Java instance. I spent several hours on this once before remembering that fact. The one you want is at somewhere like /ColdFusion8/runtime/jre/lib/security/
中尝试使用此命令
在 CMD C:\ColdFusion9\runtime\jre\bin>
keytool -import -keystore ../lib/security/cacerts
-alias uniquename -filecertificatename.cer
注意:我们必须选择安全文件夹中存在的正确密钥库,因为 bin 中存在其他密钥库文件。如果我们将证书导入到这些密钥库中,它将不起作用。
Try with this in CMD
C:\ColdFusion9\runtime\jre\bin>
keytool -import -keystore ../lib/security/cacerts
-alias uniquename -file certificatename.cer
Note: We must choose the correct keystore present inside the security folder,as there are other keystore file present inside bin.If we will import the certificate to those key stores it will not work.
我刚刚发现的内容在这篇文章中被引用: http://kb2.adobe.com/经过大量挖掘后,cps/400/kb400977.html 和其他一些地方。
如果您正在查看本文,您很可能已将“server.crt”证书插入到正确的根位置,并且您可能已使用命令
\ColdFusion9\runtime\jre\bin\keytool -import -v -alias someServer-cert -file someServerCertFile.crt -keystore cacerts -storepass changeit(如果您尚未执行此操作,请立即执行此操作)。
我遇到的问题是我正在本地主机上设置 ssl,因此在执行这些步骤后我仍然遇到相同的错误。
事实证明,您还需要使用以下命令将“server.crt”插入通常位于 /ColdFusion9/runtime/jre/lib 中的“trustStore”文件中,
希望这会节省一些时间。
What I just found out was referenced at this article: http://kb2.adobe.com/cps/400/kb400977.html and a few other places after a lot of digging.
If you are looking at this article you have most likely inserted your "server.crt" certificate in the proper root locations and you have probably inserted it into the cacerts file in /ColdFusion9/runtime/jre/lib/security using the command
\ColdFusion9\runtime\jre\bin\keytool -import -v -alias someServer-cert -file someServerCertFile.crt -keystore cacerts -storepass changeit(if you haven't done this, do it now).
The thing I was running into was that I am setting up ssl on my localhost so after doing these steps I was still getting the same error.
As it turns out, you need to also insert your "server.crt" into the "trustStore" file commonly located in /ColdFusion9/runtime/jre/lib using the command
Hopefully this will save someone time.
我正在使用JRun。在尝试了很多不同的事情之后,我发现了一些适用于我的设置的信息片段。我已经使用自己的信任库文件配置了 (1)HTTPS SSLService。这导致以下链接中的信息变得重要。
http://helpx.adobe.com/coldfusion/kb /import-certificates-certificate-stores-coldfusion.html
以下是我的 jrun.xml 文件的摘录:
将证书导入此信任库 (/app/jrun4/cert/truststore.jks) 后,它在重新启动 ColdFusion 后即可工作。
(1) http://helpx.adobe.com/遗留/kb/ssl-jrun-web-server-connector.html
I am using JRun. After trying a lot of different things I came across a snippet of information that was applicable in my setup. I had configured an (1)HTTPS SSLService with my own truststore file. This caused the piece of information in the following link to become important.
http://helpx.adobe.com/coldfusion/kb/import-certificates-certificate-stores-coldfusion.html
Here is the excerpt from my jrun.xml file:
Once I imported the certificate into this truststore (/app/jrun4/cert/truststore.jks) it worked after restarting ColdFusion.
(1) http://helpx.adobe.com/legacy/kb/ssl-jrun-web-server-connector.html
在 CF9 Enterprise 上,将证书添加到密钥库对我来说不起作用。
最终使用 CFX 标签
CFX_HTTP5。Adding the cert to the keystore did not work for me on CF9 Enterprise.
Ended up using the CFX tag,
CFX_HTTP5.我意识到这是一个非常古老的讨论,但由于它仍然出现在 CF 中搜索“对等未验证”错误的顶部附近,我想与大多数人分享,简单的解决方案是更新CF 使用的 JVM。 (稍后将详细介绍如何执行此操作。)
问题的原因通常是被调用的服务进行了更改,需要更高版本的 TLS 或 SSL(可能还需要更改支持的算法)。后来的 JVM 提供了这一点,而早期的 JVM 则没有。由于 CF 在 JVM 之上运行,因此 CF 的调用(va cfhttp、cfldap、cfmail 等)“突然”开始失败。
当然,有时证书更新就是答案(即使如此,您也必须小心翼翼地进行),但并不总是需要它。更新 JVM 还提供了其他好处,例如错误修复等。
唯一的挑战是了解您的 CF 版本将支持哪些 JVM。 (但即使是仍在旧 CF 版本上运行的人也发现,更新 JVM CF 使用已经解决了这个问题,并且没有引起任何其他问题。)
我在 2019 年的一篇文章中讨论了所有这些:
https://coldfusion.adobe.com/2019/06/error-calling- cf-via-https-solved-updating-jvm/
希望可以帮助别人。
I realize this is a very old discussion, but since it still comes up near the top of a search for the "peer not authenticated" error in CF, I wanted to share that for most people, the simple solution is to update the JVM that CF uses. (More in a moment on how to do that.)
The cause of the problem is generally that the service BEING CALLED has made a change that requires a later version of TLS or SSL (and perhaps a change to supported algorithms). Later JVMs offer that, while earlier ones did not. Since CF runs atop the JVM, it's the calls out of CF (va cfhttp, cfldap, cfmail, etc) that "suddenly" start to fail.
And sure, sometimes a cert update is the answer (and even then, you have to do it carefully), but it's not always needed. And updating the JVM also gives other benefits, in terms of bug fixes, etc.
The only challenge is knowing what JVM your version of CF will support. (But even people still running on an old CF version have found that updating the JVM CF uses has solved this problem and not caused any others.)
I discuss all this in a 2019 post:
https://coldfusion.adobe.com/2019/06/error-calling-cf-via-https-solved-updating-jvm/
Hope that may help someone.