问题描述
我们有9台ColdFusion 10服务器运行版本10,0,13,287689。我们已将正确的证书添加到ColdFusion使用的java版本的cacerts文件。我们的CFHTTP SSL调用将正常工作一段时间,然后突然他们将开始返回对等体未验证。在ColdFusion实例被回收之前,它不会工作,直到再次失败。没有关于coldfusion-out,coldfusion-error,http或异常ColdFusion日志中有关失败的信息。
We have 9 ColdFusion 10 servers running version 10,0,13,287689. We've added the correct certificates to the cacerts file for java version being using by ColdFusion. Our CFHTTP SSL calls will work correctly for a while, then suddenly they will start returning peer not authenticated. The will not work agian until the ColdFusion instance is recycled at which point they work until the fail again. There is no information in the coldfusion-out, coldfusion-error, http, or exception ColdFusion logs regarding the failure.
此外,只是因为CFHTTP HTTPS调用开始失败在一个ColdFusion实例上,并不意味着它们将在另一个上失败。我们的ColdFusion服务器具有绑定到不同网站的多个ColdFusion实例。因此,例如,一个实例可以给予对等体未认证,并且另一个实例可以正确地工作,尽管使用相同的Java版本和cacerts文件。再次,循环使用不工作的ColdFusion实例将解决问题,并且CFHTTP调用将不再失败,对等体未验证。
In addition, just because the CFHTTP HTTPS calls begin failing on one ColdFusion instance, doesn’t mean they will fail on the other. Our ColdFusion servers have multiple ColdFusion instances bound to different websites. As such, for example, one instance may give peer not authenticated, and another will work correctly, despite both using the same Java version and cacerts file. Again, recycling the ColdFusion instance that isn't working will resolve the issue and the CFHTTP call will no longer fail with peer not authenticated.
此问题可能与此相关:
This issue may be related to this: ColdFusion CFHTTP I/O Exception: peer not authenticated - even after adding certs to Keystore
但是,我也尝试过这里的步骤无效,无论是Raymond的还是彼得在评论中:
However, I've also tried the steps here to no avail, both the one from Raymond and the one by Peter in the comments: http://www.raymondcamden.com/2011/1/12/Diagnosing-a-CFHTTP-issue--peer-not-authenticated
我们已联系Adobe和他们正在调查这个问题,但想我会看看是否有其他人遇到过这些随机CFHTTP SSL失败
We've contacted Adobe and they are investigating the issue, but thought I'd see if anyone else has experienced these random CFHTTP SSL failures
推荐答案
Adobe支持绝对没有帮助。他们坚持认为我们的证书是坏的,或者我们没有正确设置我们的cacerts文件(尽管事实上这在ColdFusion 9上工作正常,并且在ColdFusion实例被回收后将工作一段时间)。
Adobe support has been absolutely no help. They keep insisting that our certificates are bad or that we do not have our cacerts file setup correctly (despite the fact this worked fine on ColdFusion 9 and will work for some period of time after the ColdFusion instance is recycled).
我最后解决这个问题,直接使用cfobject与java.net.URL库接口。当ColdFusion实例开始失败,对等体没有验证,使用java.net.URL仍然有效。
I ended up working around this issue by interfacing with the java.net.URL library directly using cfobject. When the ColdFusion instance begins failing with peer not authenticated, using java.net.URL still works.
这里是一个代码片段从我的cffunction标签标签),可以帮助任何其他人在这种情况下:
Here's a snippet of code from my cffunction tag (which is in a Custom Tag) which may help anyone else stuck in this situation:
<cfset var urlConnection = createObject("java", "java.net.URL").init("#arguments.requestURL#").openConnection()>
<cfset var inputReader = "">
<cfset var bufferedReader = "">
<cfset urlConnection.setRequestMethod(UCASE(arguments.requestMethod))/>
<cfset urlConnection.setRequestProperty("User-Agent", CGI.HTTP_USER_AGENT)/>
<cfif arguments.requestMethod EQ "POST">
<cfset urlConnection.setRequestProperty("Content-Type","application/x-www-form-urlencoded")/>
<cfset urlConnection.setDoOutput(true)/>
<cfset outputWriter = createObject("java", "java.io.OutputStreamWriter").init(urlConnection.getOutputStream())>
<cfset outputWriter.write(arguments.requestData)/>
<cfset outputWriter.close()/>
</cfif>
<cfif ISNULL(urlConnection.getErrorStream()) EQ TRUE>
<cfset inputReader = createObject("java", "java.io.InputStreamReader").init(urlConnection.getInputStream())>
<cfelse>
<cfset inputReader = createObject("java", "java.io.InputStreamReader").init(urlConnection.getErrorStream())>
</cfif>
<cfset bufferedReader = createObject("java", "java.io.BufferedReader").init(inputReader)>
这篇关于ColdFusion 10 - CFHTTP - 随机对等体未在SSL调用上验证(已更新cacerts文件)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!