<cfmail> failing when <cfmailparam> attaches image over https - coldfusion

I think this is more of a server setup issue?
As the subject says, when I "embed" images to a cfmail, using cfmailparam, if the image is called over https, the email fails. The error I get in mail.log is
javax.mail.MessagingException: IOException while sending message;
nested exception is: java.net.SocketException: Connection reset
Any ideas?
Thx!

Check the {cf_root}/logs/exception.log to see if there is anything more informative.
Sounds like CF isn't liking the SSL certificate. I know some CF versions and using CFHTTP, etc. don't like wildcard or SAN certificates and you have to import those to the keystore.
You have to grab the certificate then use the keytool to import it. This will require a CF restart after.
keytool -import -trustcacerts -keystore ./cacerts -alias myCert -file myCert.cer
Adobe has a write up on how-to: How to import certificates to ColdFusion's truststore

The problem could be because your Java version which is running ColdFusion is not supporting new TLS versions. You can solve this by upgrading Java to 1.8 or later or you can add the following to the JVM config in the ColdFusion Administrator.
-Dhttps.protocols=TLSv1.1,TLSv1.2

Related

AWS Managed AD SSL Certifcates export

I am trying to explore AD integration and was able to succesfully complete the setup as described in AWS blog post, and verified that SSL connection is working fine from "Management box".
Based on my understanding, ldp.exe from Management box is working fine because management box is joined to this AD and certificates are propagated properly.
I have use case where another linux box (which can't be joined to AD) but should use LDAPS over SSL to do some user search. For this to work, I need to export SSL and install it on Linux box. I couldn't quite figure out how to find and export certificates in this example? Are those certificates are available on RootCA (or) SubordinateCA and how to export them? appreciate any help.
I'm assuming you generated the SSL cert in AWS via Amazon Certificate Services (ACS). Although ACS won't allow you to export the private key from ACS, you shouldn't need it. All you need to do is import the public certificate into the certificate trust store that your Linux box is using when it connects to the AD server. I can't tell you how to do that (not sure what the application is), but you should be able to extract the public cert using openssl. You'll point openssl to the ad server, and have it output the public cert.
I'm pretty sure this is the openssl command line that would do that:
openssl s_client -showcerts -connect activedirectory.yourdomain.com:636
You can download the certificate from the ldaps end point and install it as follows.
Install openldap client
sudo yum install -y openldap-clients
• Download and Add Server Certificate to the openldap cert path
openssl s_client -connect <LDAPSURL>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > server.crt
• Configure LDAP Details
Vi /etc/openldap/ldap.conf
BASE dc=corp,dc=example,dc=com
URI ldaps://corp.example.com
TLS_CACERT /etc/openldap/certs/server.crt

Browser error during django + SSL connection with local server

I have a problem during adding facebook login button to my website at localhost.
I've already add mysite.com to hosts file and installed django-extensions, werkzeug, pyOpenSSL. By running command python manage.py runserver_plus --cert-file cert.crt my own-made sertificate was created. I imported this certificate to Trusted Chrome sertificates but safe connection doesn't establish. When i pass https://example.com:8000/account/login/ I hit an error NET::ERR_CERT_COMMON_NAME_INVALID,
Failed to confirm that this is the server example.com. Its safety certificate refers to *. The server may be configured incorrectly or someone is trying to intercept your data.
Please help me to solve this.

How to Solve unknown_ca error on WSO2IS-5.7 when using MySQL RDS as backstore?

I've tried to install an instance on AWS using aws RDS as
my datasource through the mysql-connector-java-5.1.45-bin.jar
with jdbc url
jdbc:mysql://< instance>.< zone>.rds.amazonaws.com:3306/carbon_db
i've got an exception
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failurecom.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure
The last packet successfully received from the server was 7 milliseconds ago. The last packet sent successfully to the server was 7 milliseconds ago.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
.
.
.
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
I've tried to run
keytool -importcert -keystore <keystore> -storepass <pass> -noprompt -file rds-combined-ca-bundle.pem
on cacerts.jks in JVM and client-trustore.jks inside WSO2 repository with no effect
This happens since the public certificate from your DB connection, is not trusted by the WSO2 Identity Server.
Since you have tried adding the certificate, verify whether this has been added properly.
Get the public certificate from your DB instance.
Go to the <IS_HOME>/repository/resources/security folder. Import the public certificate to the client-truststore.jks file. Use the command below.
keytool -importcert -file certificate.cer -keystore client-truststore.jks -alias "Alias"
Restart the wso2 IS instance and check if the issue still persists.
According to the MySQL connector documentation in [1], following JDBC URL parameters should be included into the JDBC url to enable the SSL communication between MySQL server and the wso2 server.
useSSL=true
requireSSL=true
clientCertificateKeyStoreUrl
clientCertificateKeyStorePassword
I was able to successfully create the secure connection between MySQL server and the wso2 server with the below JDBC URL.
jdbc:mysql://<HOST_NAME>:<PORT>/apimgtdb?useSSL=true&requireSSL=true&clientCertificateKeyStoreUrl=file:<WSO2_HOME>/repository/resources/security/client-truststore.jks&clientCertificateKeyStorePassword=wso2carbon

WSO2 DAS: certificate didn't match

I'm installed WSO2 DAS Server on my LAN network, but I can't create new Dashboard because this error:
javax.net.ssl.SSLException: hostname in certificate didn't match:
<192.168.3.27> != localhost
in log file here.
Please help and thanks
It happens due to certificate is for localhost not for the domain that we run. For that we need to generate new certificate with specific domain and configuration changes with correct .jks file and correct password.
It will resolve the certificate didn't match. We need to replace all the localhost in the portal folder. If I have worked like these and fixed with gaudiness. For more refernce please visit
http://www.vitharana.org/2012/12/how-to-add-new-keystore-to-carbon-4_3.html
Above error log happens due to certificate is for localhost not for the host (192.168.3.27). You can fix this by importing KeyStore file to the trustore by using following commands in the terminal.
keytool -export -alias <HostName> -file mycert.crt -keystore myjks.jks -storepass <pwd>
keytool -import -alias <HostName> -file /usr/local/app/wso2/wso2das-3.0.0/repository/resources/security/mycert.crt -keystore cacerts -storepass changeit
Please refer following articles for more details [1]. On the other hand for a quick test you can access dashboard portal in http by using following URL
http://localhost:9763/portal/
[1] https://medium.com/#dunithd/wso2-das-how-to-fix-javax-net-ssl-sslexception-160c13bc8fe7#.npua5d4nf

Amazon 500150 Error setting closing connection General SSLEngine

While connecting to Amazon RedShift, I getting the below error:
2016-04-14 13:49:30 ERROR SQL Exception when connecting [Amazon](500150) Error setting/closing connection: General SSLEngine problem.
java.sql.SQLException: [Amazon](500150) Error setting/closing connection: General SSLEngine problem.
at workbench.db.DbDriver.connect(DbDriver.java:546)
at workbench.db.ConnectionMgr.connect(ConnectionMgr.java:244)
at workbench.db.ConnectionMgr.getConnection(ConnectionMgr.java:172)
at workbench.gui.components.ConnectionSelector.doConnect(ConnectionSelector.java:227)
at workbench.gui.components.ConnectionSelector$1.run(ConnectionSelector.java:131)
Caused by: java.sql.SQLException: [Amazon](500150) Error setting/closing connection: General SSLEngine problem.
at com.amazon.redshift.client.PGClient.<init>(Unknown Source)
at com.amazon.redshift.core.PGJDBCConnection.connect(Unknown Source)
at com.amazon.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.amazon.jdbc.common.AbstractDriver.connect(Unknown Source)
at workbench.db.DbDriver.connect(DbDriver.java:513)
at workbench.db.ConnectionMgr.connect(ConnectionMgr.java:244)
at workbench.db.ConnectionMgr.getConnection(ConnectionMgr.java:172)
at workbench.gui.components.ConnectionSelector.doConnect(ConnectionSelector.java:227)
I am using SQL Workbench J to connect to the database system. The strangeness here it that the connection was working fine two days ago. This problem appeared from nowhere. Any idea??
We are following the exact steps written in the setup guide to add certificates to Java.
https://community.boomi.com/docs/DOC-2381
Am I missing anything here?
UPDATE
My Redshift database is SSL configured. We use SQL Workbench J (http://www.sql-workbench.net/) client to connect to that database. The issue now is that everytime we try to connect, we are getting the error I mentioned.
Below is our URL format:
jdbc:redshift://hostname:5439/dbname?ssl=true&sslmode=verify-full
It worked for me when I followed the solution given by cfregly on databricks forum. Please follow below URL for this solution:
https://forums.databricks.com/questions/867/ssl-connection-issues-with-redshift.html
Please try appending sslfactory value in the Connection URL string like below - it might work.
ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
Please add the following without the server certificate
ssl=true&sslfactory=com.amazon.redshift.ssl.NonValidatingFactory
The following would be the possible values for sslfactory
com.amazon.redshift.ssl.NonValidatingFactory
org.postgresql.ssl.NonValidatingFactory
Please see http://docs.aws.amazon.com/redshift/latest/mgmt/configure-jdbc-options.html
Try the following.
Run the keystore keytool based on the Java install for the environment variable JAVA_HOME (you may have multiple java installs so just use the default). Use the default cacerts keystore that comes with the JRE which will have a password of "changeit". You need to download the Redshift Certificate.
Then install the certificate for example:
C:\Program Files\Java\jdk1.8.0_25\jre\bin>keytool.exe -keystore "C:\Program Files\Java\jdk1.8.0_25\jre\lib\security\cacerts" -import -alias redshift -file redshift-ssl-ca-cert.pem
It will prompt you for the password ("changeit") and then should say the key has been added. If it fails its probably because you are not an admin user, so if in linux use sudo or in windows open the command window as administrator.
Start MYSQL Workbench using the cacerts keystore and the password entered above eg:
C:\apps\SQL-Workbench-Build118>java -Djavax.net.ssl.trustStore="C:\Program Files\Java\jdk1.8.0_25\jre\lib\security\cacerts" -Djavax.net.ssl.trustStorePassword=changeit -jar sqlworkbench.jar
You should be able to use the URL above and it should now work.