Adobe CF8 SSLv3 Webservices

June 24, 2009 Leave a comment

ColdFusion

ColdFusion

So you have some very sensitive data being made available via a web service which is secured using SSLv3 (Client certificates).  If you’re using ColdFusion 8, you’ll have to say goodbye to your good friend CfInvoke as he doesn’t speak the lingo (SSLv3).  Your old pal CfHttp does, but you’ll have to help him along by washing his mouth out with some SOAP.

In other words, CfInvoke cannot cope with client certificates and neither can his cousin CreateObject.  Strangely enough, CfHttp does support them but of course you have to do all the SOAP stuff yourself in order to communicate with the web service.

Here’s how it’s done

  1. You’ll need to find out where the web service requests should actually be sent.  If you can get hold of the WSDL, open it up and look for something like this:
    <wsdl:service name="BobbyService">
 <wsdl:port binding="impl:bobby.cfcSoapBinding" name="bobby.cfc">
 location="https://localhost/bobby.cfc"/>
 </wsdl:port>
</wsdl:service>
  2. The location attribute is the one you’ll need, this can be different sometimes that the one you expect or get the WSDL from.
  3. Now you’ll have to do some work yourself, figuring out exactly what the web service is expecting.  You’ll usually have some documentation to help you along, otherwise you’ll have to work through the WSDL and figure it out yourself.
  4. We’ll need to built the SOAP request.  notice that foobar related to the method and the arguments are contained within it:
    <cfsavecontent variable="soap">
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <soapenv:Body>
 <foobar>
 xsi:type="xsd:string">Mister Dai
 xsi:type="xsd:string">z
 </foobar>
 </soapenv:Body>
</soapenv:Envelope>
</cfsavecontent>
<cfset soap = Trim(soap) />
  5. Now we’ll use CfHttp to make the actual request:
    <cfhttp url="https://localhost/bobby.cfc" method="post"
 clientCert="#ExpandPath('./bob.pfx')#"
 clientPassword="*********">
 <cfhttpparam type="header" name="content-type" value="text/xml">
 <cfhttpparam type="header" name="content-length" value="#Len(soap)#" />
 <cfhttpparam type="header" name="charset" value="utf-8" />
 <cfhttpparam type="xml" name="message" value="#soap#" />
 <cfhttpparam type="header" name="SOAPAction" value="" />
</cfhttp>
  6. You result will be available via cfhttp.fileContent:
    <cfdump var="#XmlParse(cfhttp.fileContent)#" />

Conculsion

While this is probably a better workaround than having another server-side language act as a go-between, I still think Adobe should push support for client certificates into anything that’s making a HTTP request.  For example cfcache, cfschedule and the admin schedule task all make web requests which would fail if a certificate was required for access.  I also seem to remember that CfDocument makes requests for retrieving images.

Railo comparison

The score is now Railo 1 – Adobe 1 as Railo currently doesn’t support client certificates on it’s CfHttp tag or the others (CfInvoke, createobject etc…).  I’ve put in a request for it via their new UserVoice site, so please vote for it if you think you’ll ever need it.  Even if you only use Adobe’s engine since it’ll pressure them into adding it too ;)

Subscribe to RSS Add to Digg Add to del.icio.us Add to StumbleUpon

Filed under CFML, Web Development Tagged with , , , , ,

About misterdai
Web Developer, ColdFusion, PHP, XBox360 Gamer and Lost fan from Wales

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.