ColdFusion的CFHTTP I / O异常：对等体未通过身份验证 - 即使添加证书后，密钥库 [英] ColdFusion CFHTTP I/O Exception: peer not authenticated - even after adding certs to Keystore

问题描述

我目前正在与付款处理器工作。我可以浏览到从我们的服务器的URL支付，所以它不是一个防火墙的问题，但是当我尝试使用CFHTTP我得到一个I / O异常：同行不进行身份验证。我已经下载并安装了最新的安全证书到cacerts中密钥库和重新启动的CF和我仍然得到同样的错误。我不仅安装了供应商证书，而且证书链中的其他2威瑞信证书颁发机构的证书。该证书是3类新的扩展验证证书之一。

I'm currently working with a payment processor. I can browse to the payment URL from our server, so it's not a firewall issue, but when I try to use CFHTTP I get a I/O Exception: peer not authenticated. I've downloaded and installed their latest security cert into cacerts keystore and restarted CF and am still getting the same error. Not only have I installed the providers cert, but also the 2 other Verisign certificate authority certs in the certificate chain. The cert is one of the newer Class 3 Extended Validation certs.

有没有人遇到过这一点，并找到了解决办法？

Has anybody come across this before and found a solution?

推荐答案

我的一个同事发现了以下连接到第三方时遇到同样的问题了。

A colleague of mine found the following after experiencing the same issue when connecting to a 3rd party.

<击> http://www.coldfusionjedi.com/index.cfm/2011/1/12/Diagnosing-a-CFHTTP-issue--peer-not-authenticated

的https://www.raymondcamden.com/2011/01/12/Diagnosing-a-CFHTTP-issue-peer-not-authenticated/

我们使用的皮特·弗赖塔格在注释提供了进一步的下跌的一页的解决方案。它的工作原理，但我认为应谨慎使用，因为它涉及到动态删除，并在JsafeJCE提供商的特定属性加回。

We used the solution provided in the comment by Pete Freitag further down the page. It works, but I think should be used with caution, as it involves dynamically removing and adding back in a particular property of the JsafeJCE provider.

有关归档的缘故，这里是皮特·弗赖塔格的评论的原创内容：

For the sake of archiving, here is the original content of Pete Freitag's comment:

我已经有点进一步收窄下来，并删除
  KeyAgreement.DiffieHellman从RSA JsafeJCE提供商（其
  导致用于代替缺省太阳实现）缝到
  工作，可能有你的服务器不是删除就少的效果
  整个提供商会。这里是你如何做到这一点：

I've narrowed this down a bit further, and removing the KeyAgreement.DiffieHellman from the RSA JsafeJCE provider (which causes the default sun implementation to be used instead) seams to work, and probably has less of an effect on your server than removing the entire provider would. Here's how you do it:

<cfset objSecurity = createObject("java", "java.security.Security") />
<cfset storeProvider = objSecurity.getProvider("JsafeJCE") />
<cfset dhKeyAgreement = storeProvider.getProperty("KeyAgreement.DiffieHellman")>
<!--- dhKeyAgreement=com.rsa.jsafe.provider.JSA_DHKeyAgree --->
<cfset storeProvider.remove("KeyAgreement.DiffieHellman")>

Do your http call, but pack the key agreement if you want:

<cfset storeProvider.put("KeyAgreement.DiffieHellman", dhKeyAgreement)>

  
  

我想通了这一点，通过使用的SSLSocketFactory来创建一个HTTPS
  连接，这在堆栈跟踪提供更多的细节，比
  使用CFHTTP时：

I figured this out by using the SSLSocketFactory to create a https connection, which provided a bit more details in the stack trace, than when using cfhttp:

yadayadayada Caused by: java.security.InvalidKeyException: Cannot
build a secret key of algorithm TlsPremasterSecret at
com.rsa.jsafe.provider.JS_KeyAgree.engineGenerateSecret(Unknown
Source) at javax.crypto.KeyAgreement.generateSecret(DashoA13*..) at
com.sun.net.ssl.internal.ssl.DHCrypt.getAgreedSecret(DHCrypt.java:166)

  
  

将是巨大的，如果从ColdFusion的抛出的异常是有点少
  通用的。

Would be great if the exception thrown from ColdFusion was a bit less generic.

这篇关于ColdFusion的CFHTTP I / O异常：对等体未通过身份验证 - 即使添加证书后，密钥库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！