tracker issue : CF-4205061

select a category, or use search below
(searches all categories and all time range)
Title:

CFLDAP with CFSSL_CLIENT_AUTH fails before handshake

| View in Tracker

Status/Resolution/Reason: Open//

Reporter/Name(from Bugbase): George A. / ()

Created: 08/26/2019

Components: Security, SSL

Versions: 2018

Failure Type: Non Functioning

Found In Build/Fixed In Build: CF2016 Update 3 /

Priority/Frequency: Normal / Few users will encounter

Locale/System: English / Win 2012 Server x64

Vote Count: 0

Problem Description:
On ColdFusion 11 we were able to perform LDAPS queries against the dod411.gds.disa.mil site which requires a client certificate.  Since upgrading to ColdFusion 2018  we have been unable to perform the LDAPS queries.  Performing a cfldap call with cfssl_client_auth to dod411.gds.disa.mil fails and no handshake appears in coldfusion-error.log.   cfldap to same site using cfssl_basic correctly results in handshake and response of "Anonymous access is not allowed"

Steps to Reproduce:
	<cfldap action="query" server="dod411.gds.disa.mil" attributes="sn" filter="(sn=Smith)" maxrows="3" name="test1" scope="subtree" start="ou=pki,ou=dod,o=u.s. government,c=us" timeout="5000" port="636" secure="CFSSL_CLIENT_AUTH" clientcert="#WEB_ROOT#mycert.P12" clientcertpassword="#Password#"	>

Actual Result:
Generic error of "One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server." is displayed on webpage.  Exception.log (attached) also shows "Root exception is java.net.SocketException: Unconnected sockets not implemented".

With "-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager -Djava.security.debug=access:stack " specified in the jvmconfig.xml the log shows the last error message as: "javax.net.ssl|DEBUG|33|http-nio-8500-exec-1|2019-08-26 12:12:34.915 EDT|X509TrustManagerImpl.java:79|adding as trusted certificates (
  "certificate" : {"  followed by the certificate information for all the certificates in the cacert file.

Expected Result:
cfdump should display 3 "Smith" records returned from the dod411.gds.disa.mil site.

Any Workarounds:
None - CF11 is end of life.

Additional Troubleshooting steps I have performed:
1)  Installed fresh copy of CF11 Update 19 and CF2018 Update 4 onto windows 10 desktop.
2)  Installed "CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US" certificate into cacert file for CF11.  Verified this certificate is already present in the CF2018 cacert file and has a matching fingerprint..
3)  After performing the above steps CF11 was able to perform the LDAPS call and CF2018 was not.
4)  Installed the intermediate and server certificate into CF2018 cacert file with no change to the result.  Note that the certificate presented by https://dod411.gds.disa.mil is not the same certificate presented for ldaps://dod411.gds.disa.mil:636.   They both have the same CN of gds-web-okc01.csd.disa.mil, but different fingerprints and serial numbers.
5)  Copied the cacert file from CF2018 to CF11 and restarted CF11.  The LDAPS query from CF11 worked with CF2018's cacert file which seems to indicate that the certs are correctly loaded in the cacert file.
6)  On CF2018 modified the cfldap call to use cfssl_basic:
<cfldap action="query" server="dod411.gds.disa.mil" attributes="sn" filter="(sn=Smith)" maxrows="3" name="test1" scope="subtree" start="ou=pki,ou=dod,o=u.s. government,c=us" timeout="5000" port="636" secure="CFSSL_BASIC" >
This correctly results in the response of "Anonymous access is not allowed".  In the coldfusion-error.log file it correctly shows the SSL handshake occurring, which seems to indicate the cacert file is correct.
7)  Tried adding "-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true" to jvm.config file, with no change to result.
8)  Used wireshark on CF2018 to see if any LDAPS traffic occured.  With cfssl_client_auth there is no traffic to the dod411 which indicates it's failing before doing the handshake.  This would seem to indicate that the problem is not caused by a mismatch between DNS and certificate CN.
9)  Installed client, intermediate, and root certificates in CF2018's cacert file.  No change to result and calls still fails.
10)  Even though CF11 was working correctly, I also used Softerra LDAP browser to manually verify I could use the certificate to connect to the dod411 site.
11)  Downloaded and installed CF2016 Update 3 and copied working cacert file from CF11.  CF2016 didn't work either and produced the same results as CF2018.

Attachments:

Comments: