Fatal编程技术网
  • soap/
  • Soap Coldfusion CFHTTP握手失败

Soap Coldfusion CFHTTP握手失败

soap coldfusion certificate

Soap Coldfusion CFHTTP握手失败,soap,coldfusion,certificate,cfhttp,Soap,Coldfusion,Certificate,Cfhttp,我正试图通过CFHTTP发送一个带有客户端证书的SOAP请求。我在SOAP UI中的测试请求成功,但当我尝试通过CFHTTP发送请求时,我收到以下错误: I/O Exception: Received fatal alert: handshake_failure 我的CFHTTP标记如下所示: <cfhttp url="https://..." method="post" clientcert="C:\..." clientcertpassword="pa

我正试图通过CFHTTP发送一个带有客户端证书的SOAP请求。我在SOAP UI中的测试请求成功,但当我尝试通过CFHTTP发送请求时,我收到以下错误:

I/O Exception: Received fatal alert: handshake_failure
我的CFHTTP标记如下所示:

<cfhttp
    url="https://..."
    method="post"
    clientcert="C:\..."
    clientcertpassword="password"
    result="httpResponse"
    >
coldfusion-out.log

Sep 26, 2016 07:07:59 AM Information [ajp-bio-8014-exec-10] - Starting HTTP request {URL='https://...', method='post'}
我已经用keytool导入了证书,当我在cacerts中列出证书时,我会在那里看到它们

我还有什么其他想法可以解决这个问题吗

编辑以添加:

我的证书是.p12格式的,并且有密码。我已经在SOAPUI中使用密码测试了.p12文件,它可以正常工作

我已经安装了CF10 Certman,并确认CF管理员也提供了证书

我已将以下行添加到我的jvm.config中:

-Djavax.net.ssl.keyStore=C:\\ColdFusion11\\jre\\lib\\security\\cacerts 
-Djavax.net.ssl.keyStorePassword=password 
-Djavax.net.ssl=debug
-Djavax.net.debug=all
我用\和/C:/Coldfusion11/…尝试了密钥库路径

其他coldfusion-out.log输出:

Sep 26, 2016 11:10:06 AM Information [ajp-bio-8014-exec-2] - Starting HTTP request {URL='https://...', method='post'}
...
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
...
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1458128991 bytes = { 40, ... }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: url ]
***
ajp-bio-8014-exec-2, WRITE: TLSv1 Handshake, length = 195
ajp-bio-8014-exec-2, READ: TLSv1.1 Alert, length = 2
ajp-bio-8014-exec-2, RECV TLSv1 ALERT:  fatal, handshake_failure
ajp-bio-8014-exec-2, called closeSocket()
ajp-bio-8014-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Finalizer, called close()
Finalizer, called closeInternal(true)
SOAPUI中的密码套件是TLS_ECDHE_RSA_和_AES_128_CBC_SHA

更新

我从cfhttp标记中删除了clientcert和clientcertpassword,现在我在coldfusion-out.log中看到了这一点:

ajp-bio-8014-exec-1, WRITE: TLSv1.1 Handshake, length = 64
ajp-bio-8014-exec-1, setSoTimeout(360000) called
ajp-bio-8014-exec-1, WRITE: TLSv1.1 Application Data, length = 1680
ajp-bio-8014-exec-1, READ: TLSv1.1 Alert, length = 48
ajp-bio-8014-exec-1, RECV TLSv1.1 ALERT:  warning, close_notify
ajp-bio-8014-exec-1, called closeInternal(false)
ajp-bio-8014-exec-1, SEND TLSv1.1 ALERT:  warning, description = close_notify
ajp-bio-8014-exec-1, WRITE: TLSv1.1 Alert, length = 48
ajp-bio-8014-exec-1, called closeSocket(false)
ajp-bio-8014-exec-1, called close()
ajp-bio-8014-exec-1, called closeInternal(true)
我已经联系了服务器管理员,看看他们是否看到了他们端的请求

更新

将clientcert添加回修复了它

我不确定到底是什么解决了这个问题,但如果你查看我的原始帖子,包括更新,以下事情似乎有助于解决这个问题:

1不包括clientcert导致ColdFusion检查服务器证书的cacerts

2重新添加clientcert导致ColdFusion完成握手

JVM.config设置也有助于调试和确保使用了正确的协议。

关于参考,请阅读和@Leothelion,我已经阅读了这两篇文章。我试过上面提到的建议。我将把jvm.config添加到我的原始帖子中。您确定ColdFusion使用的密钥库文件正确吗?你曾经在那个服务器上更新过Java吗?ColdFusion管理员系统信息页面将告诉您Java主标签下正在使用的路径。另请看一看。@Miguel-F我在CF Administrator中显示Java主目录是C:\ColdFusion11\jre,并且我将证书添加到位于C:\ColdFusion11\jre\lib\security中的cacerts中,那么这应该是正确的安装密钥库。检查我引用的链接以了解其他可能性 
ajp-bio-8014-exec-1, WRITE: TLSv1.1 Handshake, length = 64
ajp-bio-8014-exec-1, setSoTimeout(360000) called
ajp-bio-8014-exec-1, WRITE: TLSv1.1 Application Data, length = 1680
ajp-bio-8014-exec-1, READ: TLSv1.1 Alert, length = 48
ajp-bio-8014-exec-1, RECV TLSv1.1 ALERT:  warning, close_notify
ajp-bio-8014-exec-1, called closeInternal(false)
ajp-bio-8014-exec-1, SEND TLSv1.1 ALERT:  warning, description = close_notify
ajp-bio-8014-exec-1, WRITE: TLSv1.1 Alert, length = 48
ajp-bio-8014-exec-1, called closeSocket(false)
ajp-bio-8014-exec-1, called close()
ajp-bio-8014-exec-1, called closeInternal(true)