3

Is there any way to let ColdFusion connect to any https site while ignoring the certificate? Currently I use curl (option --insecure) to connect to websites using https. But I would prefer it if there is a way to ignore the certificate all together and use cfhttp again. I read several question on stackoverflow on which a 'fake' trustmanager is proposed (e.g. Is it possible to get Java to ignore the "trust store" and just accept whatever SSL certificate it gets?). But I don't know how to load this class into the ColdFusion JVM.

To further clarify, my application fetches the source code of webpages entered by users, and analyzes the source code. Users can enter any url they wish. Users cannot send POST data, also sending in a username and password in the url is prohibited.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Nebu
  • 1,753
  • 1
  • 17
  • 33
  • 2
    This seems like a duplicate question of http://stackoverflow.com/q/25667748/1636917 ? That one already has some discussion going on the topic. I can't understand why you are trying to bypass security. That is NEVER a good idea. Just import the required certificate(s) and make it work the right way. – Miguel-F Sep 10 '14 at 12:54
  • Thank you for the response. There is no sensitive/private data being transmitted, therefor using a secure connection does not provide any needed security. My application does not have a standard set of websites which it connects to. User can add their own urls. Adding the certificate for each url that uses https is not a real option. I missed Matts question, but Matt only needs to connect to 1 website, that's very different from my situation. – Nebu Sep 10 '14 at 14:47
  • 1
    If you are allowing users to enter any URL they wish then how do you know _There is no sensitive/private data being transmitted_? This all seems very dangerous to me and I would not allow it to happen from my servers. But I digress. Please add the additional information that you posted in the comment to your original question by [edit]ing it. That will help differentiate this question from the other one. – Miguel-F Sep 10 '14 at 15:39
  • 1
    *that's very different from my situation.* But it sounds like the answer is the same: either install the certs OR override the TrustManager (not recommended). *how to load this class into the ColdFusion JVM* Not having done it, I am guessing you load it like any other class and then use `createObject` (I do not *think* you can cfhttp). That said, it **sounds potentially dangerous if misused**. If you accidentally applied it across the entire jvm, it would essentially disable SSL entirely. So someone could open a connection, thinking it was secure, when it really wasn't. – Leigh Sep 11 '14 at 16:55
  • The main difference is that in your situation installing the cert is a viable(recommended) option. In my case it is not. As stated before there are no security issues. The application runs on an intranet for employees only. The only thing a employee can do is type in an url and download the source code to analyze. – Nebu Sep 12 '14 at 07:12
  • 1
    Does not matter whether it is one url or a thousand, the *options* for handling it are the same. Since you say the first option is out, all that is left is for you to try the second one. Keep in mind the advice offered here is not just for *your* benefit alone. The fact is this does pose some risks. Not mentioning those would be irresponsible. While you may have decided it is acceptable in your environment, that may not be the case for the next guy searching the archives. – Leigh Sep 12 '14 at 16:07
  • So what happened when you tried the second option? – Leigh Dec 15 '14 at 16:14

0 Answers0