tracker issue : CF-3598342

select a category, or use search below
(searches all categories and all time range)
Title:

CFHTTP does not work with SNI enabled SSL

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Wil Genovese / Wil Genovese (Wil Genovese)

Created: 07/19/2013

Components: Net Protocols

Versions: 10.0

Failure Type: Non Functioning

Found In Build/Fixed In Build: Final / CF10 Update18

Priority/Frequency: Major / Some users will encounter

Locale/System: English / Platforms All

Vote Count: 19

Problem Description:
We are trying to connect via CFHTTP over SSL to a Windows 2012 IIS 8 server that has SSL installed and Server Name Indication (SNI) is enabled. http://en.wikipedia.org/wiki/Server_Name_Indication 

Java 1.7 is supposed to work with SNI. ColdFusion's CFHTTP tag needs to be updated to handle SNI. SNI is an extension of the TLS protocol. Microsoft made this feature available in IIS 8 and as as more of these servers are setup ColdFusion will need to connect to them and will run into this issue.

ColdFusion 10 and ColdFusion 9 should be updated for the Server Name Indication (SNI) feature.

Steps to Reproduce:
Setup a Windows 2012 IIS 8 server and enable SNI for SSL. CFHTTP will not connect to it with SNI enabled.


Actual Result:
I/O Exception: peer not authenticated.

Expected Result:
Expected a valid connection

Any Workarounds:
No. Disabling Server Name Indication (SNI) is not always going to be a valid workaround.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3598342

External Customer Info:
External Company:  
External Customer Name: Wilgeno
External Customer Email:  
External Test Config: My Hardware and Environment details:

Tested with ColdFusion 10u11 running on Java 1.7.0_25. 

Windows 7 64bit.

Attachments:

  1. July 20, 2013 00:00:00: 1_IIS8_SNI.png
  2. July 20, 2013 00:00:00: 2_cfhttp_error.png

Comments:

If you're unable to use cfhttp to connect with Windows servers using sni enabled ssl that greatly limits the usefulness of cfhttp and by extension ColdFusion. In fact its a good reason for an employer to move away from being a ColdFusion shop.
Vote by External U.
14881 | July 22, 2013 10:51:29 AM GMT
See this blog post: http://www.trunkful.com/index.cfm/2013/7/22/What-You-Need-To-Know-About-CFHTTP-SSL-and-SNI
Comment by External U.
14862 | July 22, 2013 11:57:18 AM GMT
+1, this problem is only going to get worse.
Vote by External U.
14882 | July 22, 2013 03:19:35 PM GMT
+1 this will hit us pretty soon - we're upgrading everything and expect to use SNI for some services.
Vote by External U.
14883 | July 23, 2013 02:59:27 PM GMT
This issue hit us today, we have a server that we cannot disable SNI due to the number of ssl sites on it and we cannot connect via ColdFusion due to it not supporting SNI
Vote by External U.
14884 | August 30, 2013 08:18:36 AM GMT
+1 Please have this implemented.
Vote by External U.
14885 | August 30, 2013 03:06:13 PM GMT
I came across this bug when trying to connect to the "Spreedly recurring billing" API when working on a SAAS web app in ColdFusion. It was an actual nightmare to determine what was going on and eventually I had to make major changes in my app to avoid the issue. MANY people have struggled with this issue and from what I know, off the top of my head this issue has reared it's ugly head when trying to connect to many popular API's via CFHTTP including Spreedly, Basecamp, Highrise, ZenCoder, and I'm sure countless others.
Vote by External U.
14886 | September 08, 2013 08:29:08 AM GMT
This support is not there in the HttpClient library. There is an enhancement logged for this which has been fixed for version 4.3.2 which is yet to be released. https://issues.apache.org/jira/browse/HTTPCLIENT-1119 This will get fixed with the next release of HttpClient library.
Comment by Rupesh K.
14863 | January 03, 2014 02:21:59 AM GMT
We've across the same problem and spent ages getting to the cause of the problem. A fix would be very welcome.
Vote by External U.
14887 | January 22, 2014 07:59:54 AM GMT
Upgraded the Apache HttpComponents library to 4.3.3 which includes support for SNI on Oracle 1.7+ jvm. Release notes for Apache HTTPComponents can be found at http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt
Comment by S V.
14864 | March 03, 2014 02:15:48 AM GMT
We have run into this problem with mission critical connections to a server we don't have control over in order to turn SNI off. Major hurdle for us to continue utilizing CF for this solution/situation.
Vote by External U.
14888 | July 23, 2014 08:24:45 AM GMT
+1 We also have encountered this with a remote Blackboard server upgrade and lost being able to connect to that remote server using cfhttp. We are using ColdFusion 11 Enterprise update 5 and this error is still present.
Vote by External U.
14889 | June 09, 2015 04:28:47 PM GMT
It's been almost 2 years since this has been reported. Has this been fixed? A note dated March 2, 2014 stated that the component has been upgraded and this bug currently has a "closed" status. I'm running 10,0,16,293499 Developer and checked for CF10 updates today (nothing available) and CFHTTP doesn't appear to be able to access SNI certificates. To verify that SNI is functioning properly, try accessing any of these URLs using CFHTTP: https://sni.velox.ch/ https://bob.sni.velox.ch/ https://alice.sni.velox.ch/ https://anything.sni.velox.ch/ I currently get this error: "I/O Exception: hostname in certificate didn't match: <bob.sni.velox.ch> != <alice.sni.velox.ch> OR <carol.sni.velox.ch> OR <alice.sni.velox.ch>"
Comment by External U.
14865 | June 10, 2015 09:20:06 AM GMT
The SNI support has been added in ColdFusion 11. The change required for supporting this is quite big and therefore it can't be backported to ColdFusion 10.
Comment by Rupesh K.
14866 | June 10, 2015 09:25:59 AM GMT
CFX_HTTP5 has a SSLERRORS="OK" parameter that optionally ignores all errors related to invalid site certificates (like expiration date or SNI), when using SSL. Would adding a new option like this be too big? If so, is what is the recommended workaround (apart from using CFX_HTTP5 or shelling out money for CF11)? Permanently modify a server-wide XML config file to disable SNI?
Comment by External U.
14867 | June 10, 2015 10:09:46 AM GMT
With limited IP space, some web services/APIs are now switching to certificates that use SNI. As a result, ColdFusion 8, 9 & 10 can't perform HTTP requests using CFHTTP. CF 8 & 9 are EOL, but 10 should seriously be updated... especially since this bug is already ~2 years old.
Vote by External U.
14890 | June 10, 2015 10:17:21 AM GMT
James, have you tried using the Java setting "-Djsse.enableSNIExtension=false". This is a workaround that so far has worked with Java 1.7 and up on CF9 and up. (http://www.trunkful.com/index.cfm/2015/5/29/Wildcard-and-SAN-SSL-with-CFHTTP-in-ColdFusion) The preferred solution would be to have this bug resolved in ColdFusion 10 too!!!
Comment by External U.
14868 | June 10, 2015 10:22:21 AM GMT
Those that have purchased CF10 deserve to have this bug fixed, or, at the very least, be given a significant discount (read; free) upgrade.
Vote by External U.
14891 | June 10, 2015 10:23:24 AM GMT
If SNI doesn't work in ColdFusion 10 (and won't be fixed), why doesn't Adobe pre-set the java parameter in the next patch to ignore SNI automatically? It's a server-wide (all or nothing) setting. If you need to disabled SNI for a single domain, it would be automatically disabled for all, right? Would this be better solution than Adobe doing nothing and having every impacted developer manually troubleshoot it and convince their host provider that they need to make a change and reboot their server?
Comment by External U.
14869 | June 10, 2015 10:34:12 AM GMT
Seriously we need this fixed in ColdFusion 10 too. I have yet another client that I am trying to get CFHTTP over SSL to work again after the API being called via HTTPS was upgraded to using Wildcard SSL certificates AND SNI. Simply disabling SNI for the entire server isn't a great option and does not work in all cases.
Comment by External U.
14870 | July 27, 2015 04:51:52 PM GMT
The Java setting "-Djsse.enableSNIExtension=false" does not resolve all cases of SNI. The company hosting the API that is trying to be accessed has well over 80 different SSL certificates listed. It looks like CFHTTP isn't getting the full list of possible SSL certificates. The error is "I/O Exception: hostname in certificate didn't match: <app.icontact.com> != <a very long list of SSL certificates>.
Comment by External U.
14871 | July 28, 2015 11:13:54 AM GMT
What exactly are you spending our license dollars on if not fixing the bugs in the products we're paying for? REOPEN this ticket and do not close it until the community verifies the fix!
Vote by External U.
14892 | July 28, 2015 02:41:56 PM GMT
Who's it going to be more work for, Rupesh? You to fix it once, or all your clients to separately work around it because you can't be arsed? And you're overlooking or conveniently ignoring your clients have already *paid* for CF 10 to work to spec. Your attitude is... "subpar", here.
Comment by External U.
14872 | July 28, 2015 02:44:19 PM GMT
This should NOT be marked as Fixed when it is NOT fixed in the version that it was reported for. Forcing users to upgrade which is often VERY expensive and not always possible is NOT fixing it.
Vote by External U.
14893 | July 28, 2015 02:44:48 PM GMT
Reopen this and get it fixed for ColdFusion 10. Please.
Vote by External U.
14894 | July 28, 2015 02:49:57 PM GMT
This is not FIXED. It's broken, and it means that we can't run basic cfhttp calls with any reliability and it screws up scheduled tasks. This is ridiculous. Reopen this and fix it.
Vote by External U.
14895 | July 28, 2015 04:09:51 PM GMT
Exactly what Wil said. Same situation. Current "solution" is not acceptable. "Seriously we need this fixed in ColdFusion 10 too. I have yet another client that I am trying to get CFHTTP over SSL to work again after the API being called via HTTPS was upgraded to using Wildcard SSL certificates AND SNI. Simply disabling SNI for the entire server isn't a great option and does not work in all cases."
Comment by External U.
14873 | July 28, 2015 04:12:23 PM GMT
This really does need to be fixed. ColdFusion 10 stills has a couple years of support to go. This will only become more of an issue as more and more sites switch over their certificates to the latest technology in an effort to become more secure.
Vote by External U.
14896 | July 29, 2015 09:06:28 AM GMT
This DOES need to be fixed in CF 10. Upgrades are expensive and not an option in many many cases without extensive regression testing. Meanwhile the site must continue to work in CF 10. CF 10 runs on supported versions of Java and Tomcat. In my view (as an owner of a business supporting more than 30 employees dedicated to ColdFusion) this should be a priority. Please Adobe, put resources to work here -real, engineering resources. Thank you!
Vote by External U.
14897 | August 11, 2015 09:25:33 AM GMT
+1 Still have clients and employers in 2015 using Win2K3 & CF8/9.
Vote by External U.
14898 | August 26, 2015 04:31:48 PM GMT
{quote} rukumar [19:30] We hear you and we will take it for CF 10. it would be there in the next update {quote} This was on the Adobe sub channel of the CFML slack channel this evening.
Comment by External U.
14874 | September 01, 2015 01:09:16 PM GMT
+1 and subscribing ...........
Vote by External U.
14899 | September 01, 2015 11:19:34 PM GMT
This bug has been fixed in ColdFusion 11.0 but has been reopened to be fixed for 10.0 update
Comment by Rupesh K.
14875 | September 09, 2015 09:44:09 PM GMT
It's now closed again. Does this mean a fix for CF10 has been released?
Comment by External U.
14876 | October 14, 2015 03:54:54 AM GMT
It has been fixed for CF 10 as well and would be included in the upcoming update for CF10.
Comment by Rupesh K.
14877 | October 14, 2015 06:16:59 AM GMT
Woohoo!!!! Thank you!
Comment by External U.
14878 | October 14, 2015 10:26:44 AM GMT
When is the update scheduled for? I'm desperate for this by the end of October!
Comment by External U.
14879 | October 20, 2015 01:27:03 PM GMT
The update is scheduled for sometime early next month. Thanks.
Comment by Akhila K.
14880 | October 23, 2015 12:03:32 AM GMT