1

I've been having a pretty fun time trying to get this request to work. I've been doing a <cfhttp method="get"...> request to Facebook for some time without a problem. The request grabs an RSS feed so we can display it on our site. Unfortunately, someone recently noticed it stopped working. The only thing I can think of that could be causing the problem is the URL in my system is http://www.facebook.com..., but is being redirected to secure (https://www.facebook.com...).

So I've tried installing the cert as is posted all over the "internets"...no dice. I've tried installing into ColdFusion, our webserver and the Java installation on which ColdFusion sits.

Is there any way to just tell ColdFusion that I don't care it's a secure request and to just process it anyways? Facebook doesn't care, and I know what I'm doing, so why should ColdFusion block me from doing what I want to do? This isn't the only time I've run into this, but I've usually not needed to make the secure request and done something else instead.

---Edit#1: I know this has to be a secure request. I just would like to know if there is some way to tell ColdFusion or Java that I don't want it to prevent the connection to the secure site.

ColdFusion 8 Enterprise, installed on a Solaris server, with Java JDK 1.6.0_12 (only version that works with Verity in this environment).

---Edit#2: The question is apparently very unclear. Sorry. Is it possible to temporarily disable the need for a cert to be installed for the request to be made to a secure URL? Pseudocode:

  • Turn off ColdFusion (or Java) cert checking
  • Make CFHTTP request to secure site (ex. <cfhttp url="https://www.facebook.com/feeds/page.php?format=rss20&id=12341234123412" method="get" />
  • Turn on ColdFusion cert checking for future requests

I hope this helps. Sorry for the confusion.

Leigh
  • 28,765
  • 10
  • 55
  • 103
Matt
  • 85
  • 1
  • 10
  • 2
    No, if you request something securely, then you need to accept it securely as well. If Facebook "didn't care", they'd not use HTTPS, they'd just use HTTP. – Adam Cameron Sep 04 '14 at 14:51
  • +1 what Adam said. Facebook is redirecting your HTTP request to HTTPS. You cannot control that and will need to communicate with SSL over HTTPS. That being said you need to install the Facebook certificate to the **correct** JVM keystore that is installed and currently in use by ColdFusion. [Instructions posted here](http://stackoverflow.com/a/19449937/1636917) – Miguel-F Sep 04 '14 at 15:53
  • @Adam - What I meant is that I don't want ColdFusion to care if it's an HTTPS request. I want to turn off whatever logic is there to prevent the connection if no cert exists. Obviously I can't connect to http://www.facebook.com when Facebook forces a secure connection. – Matt Sep 04 '14 at 18:57
  • @Miguel-F - I followed those instructions (which came from Adobe's instructions) to install the cert manually - as I said in the second paragraph. I'm installing to the cacerts trusted keystore in the JDK referenced in CFIDE. – Matt Sep 04 '14 at 18:58
  • @Matt that would be a violation of the HTTP protocol. It's not possible. And it's not an option. Just get your certs working. And apologies but I cannot help you with that, as I've never had to troubleshoot it. – Adam Cameron Sep 04 '14 at 19:41
  • How is it a violation of the HTTP protocol to tell a piece of software to disable its own protection? If I can connect to the same secure URL via every other programming language (assuming, of course, I have had no issues in .NET), but cannot connect to ANY secure site in ColdFusion, it seems like it's an application issue and not a "violation of the HTTP protocol" issue. All I want to do is (pseudocode): `Turn off cert checking` `Make secure cfhttp request` `Turn on cert checking (or not...)` – Matt Sep 05 '14 at 13:13
  • 3
    I do not think it is possible with cfhttp. It *is* technically allowed in java, but requires java code. IIRC, it cannot be done with just `createObject`. That said, it is generally considered [a very bad idea](http://stackoverflow.com/questions/12060250/ignore-ssl-certificate-errors-with-java). The best option is to fix the certificate problem. Are you 100% positive you imported the certificate into the correct keystore using an absolute path? Did you verify it with `keytool -list` AND restart the cf server? – Leigh Sep 09 '14 at 02:16
  • @Leigh - I have verified the certs are indeed listed using keytool -list and have restarted the CF server many, many times when working on this and for other things. – Matt Sep 17 '14 at 16:12
  • We recently discovered that CF8 only works with certificates using SHA-1, not SHA-2+. – Matt Aug 06 '15 at 18:59

1 Answers1

0

You need to update your JVM to a newer version with updated root certificates as the SSL certificate that Facebook is using is more than likely based on a newer root certificate and your system is not recognising it. I would suggest you try JRE 1.6.0_45:

http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html#jre-6u45-oth-JPR

Also, it is not recommended using the JDK in a production environment, you should be using the server JRE.

andrewdixon
  • 1,059
  • 7
  • 16
  • Thank you for the information. I'll look into using a server JRE instead of the JDK as we have been. I wasn't involved in the setup of this server, so I don't know why they set it up with a JDK instead of a JRE. However, our environment doesn't work with a later version of a JRE. CF8 Enterprise (with Verity) on Solaris has issues beyond this Java version. We tested a bunch of Java versions and found that Verity doesn't work with those versions. – Matt Sep 17 '14 at 16:09