SSL

Secure Sockets Layer

Your CFHTTP requests may fail with an error I/O Exception: Received fatal alert: handshake_failure.  the reason could be a try to connect to a web server that has very high SSL security levels enabled and is no longer compatible with older Java 8 versions.

If you are running ColdFusion on Java < 8.0.161 and you add -Djavax.net.debug=ssl,handshake,verbose to C:\ColdFusion2016\[cfusion]\bin\jvm.config you will see the below info message in coldfusion-out.log:

We tried to access a remote webservice from a partner and they updated their certificate a few days ago. This request fails with an very unhelpful error message in ColdFusion.

Symptom:

  • ColdFusion CFHTTP is broken if you access a SSL site, but it worked in past.
  • ColdFusion CFDUMP says Connection Failure with I/O Exception: peer not authenticated
  • ColdFusion CFDUMP says I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.

Analysis:

Since intermediate certificates have been provided by the server it can only be the root level certificate. But there may exists other situations where the certificate chain my be incomplete and you get the same error. Verify this with SSLLabs or a certificate checker from a certificate authority very first. Be aware that they sometimes fail to show missing intermediate certificates.

Code for testing:

This PowerShell script setups your Windows Computer to support TLS 1.1 and TLS 1.2 protocol with Forward secrecy. Additionally it increases security of your SSL connections by disabling insecure SSL2 and SSL3 and all insecure and weak ciphers that a browser may fall-back, too. This script implements the current best practice rules. It was originally written for Microsoft Internet Information Server 7.5/8.0/8.5/10 (IIS) on Windows 2008R2/2012/2012R2/2016/2019, but the below settings implements system wide settings that work for everything that uses the Microsoft Crypto infrastructure. This means Microsoft Exchange and Internet Explorer and Edge and all applications that use WinHTTP API, too. It works on both Windows Desktops and Servers.

After you have added below registry entries you may like to verify that your server offers the much more secure SSL connections. There is the great https://www.ssllabs.com/ssltest/ site that gives you a feeling how secure your SSL connections are. You should get a Summary like these:

SSL server check summary - rating A, Windows 2016, TLS 1.2 only

We tried to access a remote webservice from a partner and they updated their certificate a few days ago. This request fails with an very unhelpful error message in ColdFusion.

Symptom:

  • ColdFusion CFHTTP is broken if you access a SSL site, but it worked in past.
  • ColdFusion CFDUMP says Connection Failure with I/O Exception: peer not authenticated

Analysis:

The very first idea was - there must be something wrong with the top level certification authority like a missing root certificate in the cacerts store that has not been integrated with Java in past. The root level certificate has been imported manually, but the error was still there. As you may expierenced yourself, ColdFusion is always very unhelpful if it comes to SSL errors. If you need more detailed information you need to go on the Java level. Here is an example code snippet you can run: