After a recent upgrade from Jetty 10 to Jetty 11 we have a problem with connections that use a client certificate. The client certificate used to be available in a request attribute "javax.servlet.request.X509Certificate", but since Jetty 11 this is not longer the case. Is this is a bug or is there another way to obtain the client certificate in Jetty 11?
I found the anwser in org.eclipse.jetty.server.SecureRequestCustomizer. In Jetty 11 the attribute name for the client certificate has changed from "javax.servlet.request.X509Certificate" to "jakarta.servlet.request.X509Certificate".
Related
I have an HTTPS soap web service that has a certificate.
Firstly, I install that certificate as "local machine" in "Trusted Root Certification Authorities".
Then, I can connect to it and add a reference to it in the .NET Framework project.
But I have a problem when trying to consume it in the ASP.NET Core5 project. When I try to add it as a "WCF Web Service Reference", I got this error:
An error occurred while attempting to find services at 'https://15.5.36.23/yxxx/soap/yyyy?wsdl'.
The request was aborted: Could not create SSL/TLS secure channel.
I use Windows 10 and Visual Studio 2019 V16.10.2.
How can I fix it?
Thanks
We are trying to add a https web service via CFadmin in ColdFusion 8.
We have two ColdFusion applications. One on ColdFusion 2016 and other in ColdFusion 8.
The CF8 application consumes few of the Web services of CF2016 application.
Recently, we added SSL to CF2016 application. So now the URLs of this application are HTTPS.
After it, few of the modules of cf8 that were consuming the webservices of cf2016 stopped working.
We figured it out that we need to update the webservice urls in cf8 with https urls.
We tried to update the webservice urls in CFAdmin but with no success. ColdFusion doesnot allow us to do it. It shows one error message
Error creating web service. Please ensure that you have entered a correct Web Service name or URL.
We have checked the WS url in browser. It's returning the WSDL XML.
After a bit of searching we found this link
http://www.richarddavies.us/archives/2006/02/enabling_web_services.php
It suggests to add the SSL certificate to ColdFusion's Java Keystore and restart ColFusion services. We followed the steps - Imported the SSL certificate to keystore and restarted coldfusion service. But no success. We also tried restarting the whole server.
Can some suggest what else needs to be done to add HTTPS webservice to ColdFusion 8. We are currently clueless.
Configuration:
App1(non ssl) - CF8-multiserver, java6,iis7.5, windows server 2008 r2
App2(SSL installed) - CF2016, java8, iis8.5, windows server 2012 R2
The quickest solution you can do is to upgrade the CF8 to cf2016.
If Windows 2003 Server as there is no support from Microsoft for TLS 1.1 or 1.2 in this server version.
https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/
I'm trying to use a cfhttp post to secure.authorize.net/gateway/transact.dll, but am getting a connection failure. I'm using coldfusion 2016 on windows server 2008. I believe I have the correct cert file registered in the java keystore but am not 100% sure. Based on some google searches, I think that is the problem.
I downloaded and registered GeoTrust Primary Certification Authority - G2 from https://www.geotrust.com/resources/root-certificates/
Any tips on how to make sure the proper sha-2 certificate is registered in the keystore? I tried using IE to save the certificate from secure.authorize.net/gateway/transact.dll, by following the instructions here https://www.youtube.com/watch?v=ewT4aud-xww but that also didn't seem to work.
I should add that this wasn't working even before the TLS disablement date of yesterday. That was just a coincidence. I previously had CF 9 installed, and it was working on there. From what I've always understood, the communication failure error usually indicates lack of or incorrectly imnported certifcate into the keystore. I tried copying the CACerts file from the cf9 instal, as well as start fresh and manually import the certs.
It's likely to be related to the disablement of TLS 1.0 and 1.1 which happened today.
We're having the same issue on a couple of servers, but not others, so trying to work out why that is.
All servers are TLS 1.2 enabled, but connections on some appear to be failing.
I am using ColdFusion 10. How can I specify my connection is TLS 1.1, TLS 1.0, etc. Can I use the cfhttp tag?
How to add TLS 1.2 in cfhttp tag using ColdFusion?
ColdFusion 10 will handle the TLS 1.2 protocol using CFHTTP without any issues as long as you are running Coldfusion on Java 1.8.0_nn. You need to upgrade your Java version. Also see this article I wrote on which SSL/TLS protocols are usable for each ColdFusion/Java version combinations.
https://www.trunkful.com/index.cfm/2014/12/8/Preventing-SSLv3-Fallback-in-ColdFusion
To install a new Java version I always install the JDK in a non-default location that is only used for ColdFusion. ie C:\java\jdk1.8.0_nn\ This way you know it's for ColdFusion and not for the OS. Of course if you're on Linux then the location would be different, but you'd know that already.
Regards,
Wil
The easiest way that I've found so far to use native CF 10 tags and TLS 1.2 is to upgrade the JDK/JRE to 1.8 on the CF server.
I've been using ColdFusion 10 with Server JRE 1.8 u151 for a while now.
You can download the Server JRE here:
http://www.oracle.com/technetwork/java/javase/downloads/server-jre8-downloads-2133154.html
For my Windows Server, I just unzip/tar the server-jre-8u151-windows-x64.tar.gz file to "C:\Program Files\Java". This creates a folder named jdk1.8.0_151.
Log into your CF Administrator
Server Settings > Java and JVM
Set [Java Virtual Machine Path] to C:/Program Files/Java/jdk1.8.0_151/jre
Add this phrase to [JVM Arguments]: -Dhttps.protocols=TLSv1.2
Submit Changes
After you restart ColdFusion, it will now be using Server JRE 1.8u151 and force SSL to use TLS 1.2.
I've been performing TLS 1.2 connections using ColdFusion 4.5, 5.0, 6MX, 7, 8, 9, 10, 11 & 2016 using CFX_HTTP5, a C/C++ tag (0% Java; 0% COM; 0% MFC).
http://www.adiabata.com/cfx_http5.cfm
PayPal is in the process of upgrading their API endpoints to allow only TLS 1.2 and HTTP/1.1 connections.
https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US
The only way I could connect to https://tlstest.paypal.com/ was to use CFX_HTTP5 w/CF9 & 10 was to set SSL="5". CFX_HTTP5 also enables you to specify which protocol version to use per-request. It's not a setting that is enabled and forced on all connections... no guessing, interfering w/other website requirements hosted on same server or need to restart the server when changing protocols.
SSL =
0 - SSL3 and TLS1;
1 - SSL2;
2 - SSL3;
3 - TLS1;
4 - TLS1.1;
5 - TLS1.2;
I've also encountered situations where SSL certificates are temporarily invalid due to accidental expiration. In those cases, CFX_HTTP5's SSLERRORS="OK" flag enabled me to consume the API while ignoring the temporary certificate error. (I don't believe that ColdFusion can do this.)
I am using CometD server and deploying it in jetty. I am using CometDv2.5.1 and Jettyv7.6. I just want to know how does websocket upgrade happens.
Does jetty have any upgrade filter ? If yes than when it is doing the upgrade ?
Thanks,
John
Upgrade on Jetty 7 is typically done within a Servlet, not a filter. There also exists a Handler version.
Upgrade on Jetty 8 is the same.
Upgrade on Jetty 9:
if using JSR-356 (aka javax.websocket), then it is done internally, before all servlet processing.
if using the Jetty WebSocket API, then you can use a Servlet, Filter, or Handler.
The Jetty 9 WebSocket API's filter is the most capable (from a path mapping perspective)