tracker issue : CF-4118754

select a category, or use search below
(searches all categories and all time range)
Title:

cfhttp - use of buggy 4.4.1 http components (hostname verification fails when it shouldn't)

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/CannotReproduce

Reporter/Name(from Bugbase): Ryan Potter / Ryan Potter (Ryan Potter)

Created: 02/17/2016

Components: Net Protocols, HTTP

Versions: 2016

Failure Type: Usability Issue

Found In Build/Fixed In Build: CF2016_Final /

Priority/Frequency: Major / All users will encounter

Locale/System: ALL / Windows 10 64 bit

Vote Count: 2

Problem Description:
After installing 2016, cfhttp calls to https://www.googleapis.com no longer worked, returning this error: "Host name 'www.googleapis.com' does not match the certificate subject provided by the peer (CN=*.storage.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US)"

Looks like there is an error in 4.4 which CF2016 now uses: https://issues.apache.org/jira/browse/HTTPCLIENT-1613

Lucee upgraded to 4.5.1 http://lang.lucee.org/t/new-patch-release-4-5-2-000/180


Any Workarounds:
I replaced the following 4.4.1 jar files (found in C:\ColdFusion2016\cfusion\lib) with the 5.5 jar files from https://repo1.maven.org/maven2/org/apache/httpcomponents/
httpclient-4.4.1.jar
httpclient-cache-4.4.1.jar
httpcore-4.4.1.jar
httpmime-4.4.1.jar

Restarted cf, it worked. No idea if I needed to replace all of them, but I did.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4118754

External Customer Info:
External Company:  
External Customer Name: Ryan Potter
External Customer Email:  
External Test Config: My Hardware and Environment details:

Win 10 64bit

Attachments:

Comments:

https://www.googleapis.com is not accessible from browser, does not look like its valid address. Please let us know. Using cfhttp, was able to make a successful call to https://www.facebook.com/. Thanks, Akhila.
Comment by Akhila K.
4734 | February 18, 2016 04:05:01 AM GMT
https://www.googleapis.com/ WORKS fine in browser and return "Not Found" He didn't provide the FULL API link. May be again SNI bug?
Comment by External U.
4735 | February 18, 2016 06:48:03 AM GMT
just try: <cfhttp url="https://www.googleapis.com/ " result="gotit"> <cfoutput>#gotit.FileContent#</cfoutput> You will see Connection FAILURE !! while checking using: http://web-sniffer.net/ we had result as: Status: HTTP/1.1 404 Not Found But the content still existed and is correctly detected by web-sniffer as: Not Found Same you can get in chrome/browser.
Comment by External U.
4736 | February 18, 2016 06:54:58 AM GMT
How can SNI still be broken. This has been going on since CF9.
Comment by External U.
4737 | February 18, 2016 08:11:37 AM GMT
Broken since CF9. Not helping the case for upgrading to CFr2016 here...
Vote by External U.
4742 | February 18, 2016 08:12:04 AM GMT
I am using Ryan Smith's code found here http://cfeosocial.riaforge.org/ to provide a way to authenticate my users via Google. Sorry didn't provide all the info. If you browse to the following URL without a valid OAuth token you will get a "Invalid Credentials". var httpService = new http(url="https://www.googleapis.com/oauth2/v1/userinfo", method="GET"); httpService.addParam(type="header",name="Authorization",value="OAuth #arguments.token#"); httpService.addParam(type="header",name="GData-Version",value="3.0");
Comment by External U.
4738 | February 18, 2016 11:45:19 PM GMT
Should probably change the title to 'CFHTTP broken when using SSL". SNI is a requirement for working HTTPS. Has been for about a decade.
Comment by External U.
4739 | February 19, 2016 03:25:15 AM GMT
fix this please
Vote by External U.
4743 | February 22, 2016 07:50:30 AM GMT
Can you confirm if the issue is still happening with update 1 as well? Thanks!
Comment by S P.
4740 | June 13, 2016 03:45:54 AM GMT
Since the issue is not happening from update 1, closing the bug. Thanks!
Comment by S P.
4741 | July 01, 2016 01:58:56 AM GMT