ColdFusion and SSLv304 Jul 2008 | Comments
Last week was probably one of the most unproductive and frustrating weeks that I've been in. I spent 70% of my time Googling around, trying different things around,
I was assigned a project to integrate our system with an overseas partner, the integration will be facilitated via web services. And our partner web services are secured via SSL. I've done quite a few web service integration work, but doing secure web service over SSL is something new for me.
During the course of the week I hit so many walls (if you are only interested in ColdFusion and SSL version 3 (SSLv3), skip to the appropiate section below):
Problem 1: Registering certificate to Windows
Ok disclaimer first, as mentioned earlier, I really have little experience with SSL, certificates and all the like. So I googled A LOT and trying things frantically as well. To be able to connect to our partner web services, I had to create a private key (this is to be kept secret) and a Certificate Signing Request (CSR), for the partner to sign.
The partner returned a signed certificate from the CSR, and basically I need to install this to my machine. Now this was the major first roadblock that I have, it took me and lead developers on the partner's side about 2 days to solve.
We thought once the certificate installed we can just use it to browse the web service site, but whenever I entered the URL, I was always prompted with an empty list of certificate to choose from to secure the connection.
Found out that not only that I have to install the certificate, but I also need to combine the certificate with my own private key, the result of this would be a PKCS12 file, I use OpenSSL again to do this. And after installing the PCKS12 to key store, the certificate appears on the list.
Problem 2: ColdFusion and SSL version 3 (SSLv3)
To cut the story short, CFINVOKE up to ColdFusion 8 doesn't support SSLv3 (although apparently the CFHTTP does, haven't checked myself). It is still on the wish list for ColdFusion 8 see no 35.
And how do you know that the web services you're trying to invoke are using SSLv3? If the web service expects you to supply a certificate when invoking its functions that it's probably SSLv3. More information on this read Steven Erat's from talkingtree blog especially: this entry. Special thanks for Mark Kruger from ColdFusion Muse blog, who has kindly replied to my questions,.
So I made the decision to use .NET to consume the web services and then use ColdFusion to call this .NET object. Glad to say that this approach works, but it wasn't easy process as:
- I haven't done much .NET programming
- I encountered some frustrating issues with CF8 and .NET integration
I think I will explain how the .NET looks like on another post, but if you are desperate please feel free to contact me I am sure I can give a snippet or two.