tracker issue : CF-3949146

select a category, or use search below
(searches all categories and all time range)

AWS Signing with HMAC Broken in Updater 3

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/AsDesigned

Reporter/Name(from Bugbase): Eric Hoffman / Eric Hoffman (Eric Hoffman)

Created: 03/05/2015

Components: Security

Versions: 11.0

Failure Type: Non Functioning

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Major / All users will encounter

Locale/System: English / Win 2012 Server x64

Vote Count: 2

Problem Description:  Signing requests per AWS instructions functions in CF 11 Updater 2 and earlier.  Updater 3 and forward this breaks.

Steps to Reproduce:  Install Updater 3.  Attempt to sign request and pass to AWS.  

Actual Result:  AWS gets an invalid signature

Expected Result:  AWS accepts the signature and lets you interact with the services.

Any Workarounds:  None.  Rolling back to Updater 2 is not an option.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3949146

External Customer Info:
External Company:  
External Customer Name: Eric
External Customer Email:  
External Test Config: My Hardware and Environment details:  AWS EC2 M3.Large instance with CF11



Updates shouldn't break stuff, and definitely shouldn't STAY broken in future updates.
Vote by External U.
8171 | August 11, 2015 05:12:02 PM GMT
Please fix if this is a regression. Please fix if this is a regression. Please fix if this is a regression.
Vote by External U.
8172 | August 11, 2015 06:12:41 PM GMT
I've been successfully signing AWS requests w/ hmac() daily, regardless of CF11 update level (final release thru Update 5). Thanks!, -Aaron
Comment by External U.
8158 | August 12, 2015 02:49:19 AM GMT
For Clarity, this is signing requests for ETS and Glacier. The S3 connections, which is a different type of signing, are not affected.
Comment by External U.
8159 | August 12, 2015 08:27:29 AM GMT
Hi Eric, Ah, okay. Yes, I'm using Amazon's Signature Version 2. Whereas it appears this issue is about Version 4. So my comment can be disregarded. Thanks!, -Aaron
Comment by External U.
8160 | August 12, 2015 04:48:25 PM GMT
Hi Eric, I am testing this with a request to Amazon Glacier. Created a vault in Amazon console, tried with below code to set up initial communication: <cfset vaultName = "<vault name>"> <cfset archiveFilePath = "<file path>"> <cfset credentials = CreateObject("java", "com.amazonaws.auth.profile.ProfileCredentialsProvider")> <cfset client= CreateObject("java", "").init(credentials)> <cfset client.setEndpoint("")> There seems to be an issue with above setup, and then after this I am stuck with creating an upload request. Could you please share code snippet to repro the case? And also if you added anything more than "AWS SDK for Glacier" to ColdFusion path? Thanks, Akhila.
Comment by Akhila K.
8161 | September 16, 2015 01:28:10 AM GMT
Please share an update on this, so that we can expedite the fix, if required.
Comment by Akhila K.
8162 | September 23, 2015 04:32:18 AM GMT
Hi, where can I submit? We cannot post this code publicly due to client constraints.
Comment by External U.
8163 | September 23, 2015 12:24:47 PM GMT
Please mail the details to Thanks, Akhila.
Comment by Akhila K.
8164 | September 23, 2015 10:46:57 PM GMT
Hello, We are unable to repro the issue and hence closing. Incase if you are still facing the issue, please let us know, we will re-open this bug. Thanks, Akhila.
Comment by Akhila K.
8165 | September 28, 2015 03:43:49 AM GMT
We are sending files today.
Comment by External U.
8166 | September 28, 2015 09:19:26 AM GMT
Please confirm receipt.
Comment by External U.
8167 | September 28, 2015 09:23:23 AM GMT
We have received the files, thanks. Will update on this in the earliest. Thanks, Akhila.
Comment by Akhila K.
8168 | September 28, 2015 09:33:10 AM GMT
I have looked at the files given for the repro. Host header is one of the header which is used as part of the signing process. While signing the request the host name is used along with port 80 <host>:80. But when request was sent through the cfhttp the host header value is not containing the port 80 (as it is a default port). So when amazon computes the signature it will be different from the actual one. While populating the host header we only look at the authority part of the given URL and strip out the default port (80 and 443 based on protocol) and stuff it in the host header. This issue can be solved by passing the host header value without the port 80 in it to the aws4 signing cfc. Before update2 the host header is always having a port value (even if it is 80) because of this cfhttp is not able to consume from servers like google maps. Which we have fixed in update2.
Comment by S V.
8169 | October 07, 2015 07:29:16 AM GMT
We are testing solution to remove the ports from the calls due to changes in ACF implementation.
Comment by External U.
8170 | October 16, 2015 12:06:11 PM GMT