How can I add JsafeJCE cipher suite to Lucee 4.5 for updated PayPal RESTFUL API. Is this possible?

dev google-group-archive
1

REQUEST:

Please can you add JsafeJCE cipher suite to the securitry provider list in
Lucee 4.5. This would bring Lucee 4.5 in line with Adobe Coldfusion 11.

ENVIRONMENT:

I am running Lucee 4.5 with IIS7 on Windows 2008R2.

ISSUE:

I am trying to use OAuth2 with
https://api.sandbox.paypal.com/v1/oauth2/token.
For many months it has been issueing tokens without any problems.

Then, PayPal upgraded their certificates and SSL ciphers requirement:

https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1766&viewlocale=en_US&direct=en

I have updated all my certificates using keytool to cacerts keystore. The
error persists.
So I believe this is not a certificate problem.

I believe it is a problem with the security provider list bundled with JRE.
It does not contain the required cipher suite.

Interestingly, I updated my local testing environment from Adobe Coldfusion
[ACF] 10 to ACF 11, and the problem dissappeared.
I noticed that the security provider list is much more extensive in ACF11,
and includes a beefed up JsafeJCE cipher suite. JsafeJCE is the default
security provider in ACF11.

I am using Railo/Lucee on my production server. It is the most up to date
version of this application server.

I am getting the following error, when trying to obtain a PayPal RESTFUL
API token on my production server:

Cause
string javax.net.ssl.SSLHandshakeException

url
string https://api.sandbox.paypal.com/v1/oauth2/token

Detail
string

ErrorCode
string 0

Extended_Info
string

ExtendedInfo
string

Message
string Received fatal alert: handshake_failure

StackTrace
string Received fatal alert: handshake_failure at
sun.security.ssl.Alerts.getSSLException(Alerts.java:192):192 at
sun.security.ssl.Alerts.getSSLException(Alerts.java:154):154 at

sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959):1959 at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077):1077 at

sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312):1312
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339):1339
at

sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323):1323
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket

(SSLConnectionSocketFactory.java:394):394 at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353):353
at

org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134):134
at

org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353):353
at org.apache.http.impl.execchain.MainClientExec.establishRoute

(MainClientExec.java:380):380 at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236):236
at org.apache.http.impl.execchain.ProtocolExec.execute

(ProtocolExec.java:184):184 at
org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88):88 at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110):110
at

org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184):184
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82):82
at

lucee.runtime.tag.Executor41.execute(Http41.java:1494):1494 at
lucee.runtime.tag.Executor41.run(Http41.java:1482):1482

https://groups.google.com/forum/#!msg/railo/b_2qteKb7k0/wy9K3zMgXqMJ

2

Although I have not tried it, I have a hunch you could add the latest
JsafeJCE cipher suite using java.security.Security.addProvider()

something like

var sec = createObject(“java”, “java.security.Security”);
var JsafeJCE = … ;
sec.addProvider(JsafeJCE);

You’ll find an example in one of Ben Nadel’s blog posts:

Aria Media Sagl
+41 (0)76 303 4477 cell
skype: ariamediaOn Thu, Feb 4, 2016 at 4:18 PM, <@establishmindfulness> wrote:

REQUEST:

Please can you add JsafeJCE cipher suite to the securitry provider list in
Lucee 4.5. This would bring Lucee 4.5 in line with Adobe Coldfusion 11.

ENVIRONMENT:

I am running Lucee 4.5 with IIS7 on Windows 2008R2.

ISSUE:

I am trying to use OAuth2 with
https://api.sandbox.paypal.com/v1/oauth2/token.
For many months it has been issueing tokens without any problems.

Then, PayPal upgraded their certificates and SSL ciphers requirement:

https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1766&viewlocale=en_US&direct=en

I have updated all my certificates using keytool to cacerts keystore. The
error persists.
So I believe this is not a certificate problem.

I believe it is a problem with the security provider list bundled with JRE.
It does not contain the required cipher suite.

Interestingly, I updated my local testing environment from Adobe
Coldfusion [ACF] 10 to ACF 11, and the problem dissappeared.
I noticed that the security provider list is much more extensive in ACF11,
and includes a beefed up JsafeJCE cipher suite. JsafeJCE is the default
security provider in ACF11.

I am using Railo/Lucee on my production server. It is the most up to date
version of this application server.

I am getting the following error, when trying to obtain a PayPal RESTFUL
API token on my production server:

Cause
string javax.net.ssl.SSLHandshakeException

url
string https://api.sandbox.paypal.com/v1/oauth2/token

Detail
string

ErrorCode
string 0

Extended_Info
string

ExtendedInfo
string

Message
string Received fatal alert: handshake_failure

StackTrace
string Received fatal alert: handshake_failure at
sun.security.ssl.Alerts.getSSLException(Alerts.java:192):192 at
sun.security.ssl.Alerts.getSSLException(Alerts.java:154):154 at

sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959):1959 at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077):1077 at

sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312):1312
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339):1339
at

sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323):1323
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket

(SSLConnectionSocketFactory.java:394):394 at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353):353
at

org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134):134
at

org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353):353
at org.apache.http.impl.execchain.MainClientExec.establishRoute

(MainClientExec.java:380):380 at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236):236
at org.apache.http.impl.execchain.ProtocolExec.execute

(ProtocolExec.java:184):184 at
org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88):88 at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110):110
at

org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184):184
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82):82
at

lucee.runtime.tag.Executor41.execute(Http41.java:1494):1494 at
lucee.runtime.tag.Executor41.run(Http41.java:1482):1482

Redirecting to Google Groups


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/a277a191-17fd-43fe-989f-28368d476c21%40googlegroups.com
https://groups.google.com/d/msgid/lucee/a277a191-17fd-43fe-989f-28368d476c21%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

3

What version of Java are you running? The standard / default Java JCE is
updated when you update your JVM. I was able to hit the url no problem with
Java 1.8.0_45 running Lucee.

The RSA JSafe JCE is a commercial product that Adobe licenses and bundles
with Enterprise Edition of ColdFusion (since version 7 or 8). So if you
wanted to use it with Lucee you would have to purchase a license for it.–
Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

On Thu, Feb 4, 2016 at 10:18 AM, <@establishmindfulness> wrote:

REQUEST:

Please can you add JsafeJCE cipher suite to the securitry provider list in
Lucee 4.5. This would bring Lucee 4.5 in line with Adobe Coldfusion 11.

ENVIRONMENT:

I am running Lucee 4.5 with IIS7 on Windows 2008R2.

ISSUE:

I am trying to use OAuth2 with
https://api.sandbox.paypal.com/v1/oauth2/token.
For many months it has been issueing tokens without any problems.

Then, PayPal upgraded their certificates and SSL ciphers requirement:

https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1766&viewlocale=en_US&direct=en

I have updated all my certificates using keytool to cacerts keystore. The
error persists.
So I believe this is not a certificate problem.

I believe it is a problem with the security provider list bundled with JRE.
It does not contain the required cipher suite.

Interestingly, I updated my local testing environment from Adobe
Coldfusion [ACF] 10 to ACF 11, and the problem dissappeared.
I noticed that the security provider list is much more extensive in ACF11,
and includes a beefed up JsafeJCE cipher suite. JsafeJCE is the default
security provider in ACF11.

I am using Railo/Lucee on my production server. It is the most up to date
version of this application server.

I am getting the following error, when trying to obtain a PayPal RESTFUL
API token on my production server:

Cause
string javax.net.ssl.SSLHandshakeException

url
string https://api.sandbox.paypal.com/v1/oauth2/token

Detail
string

ErrorCode
string 0

Extended_Info
string

ExtendedInfo
string

Message
string Received fatal alert: handshake_failure

StackTrace
string Received fatal alert: handshake_failure at
sun.security.ssl.Alerts.getSSLException(Alerts.java:192):192 at
sun.security.ssl.Alerts.getSSLException(Alerts.java:154):154 at

sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959):1959 at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077):1077 at

sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312):1312
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339):1339
at

sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323):1323
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket

(SSLConnectionSocketFactory.java:394):394 at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353):353
at

org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134):134
at

org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353):353
at org.apache.http.impl.execchain.MainClientExec.establishRoute

(MainClientExec.java:380):380 at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236):236
at org.apache.http.impl.execchain.ProtocolExec.execute

(ProtocolExec.java:184):184 at
org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88):88 at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110):110
at

org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184):184
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82):82
at

lucee.runtime.tag.Executor41.execute(Http41.java:1494):1494 at
lucee.runtime.tag.Executor41.run(Http41.java:1482):1482

Redirecting to Google Groups


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/a277a191-17fd-43fe-989f-28368d476c21%40googlegroups.com
https://groups.google.com/d/msgid/lucee/a277a191-17fd-43fe-989f-28368d476c21%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

4

One other thing I wanted to ask, is do you know how I issue Java debug commands in Lucee.
Can I add to Lucee Tomcat console → Java:

-Djavax.net.debug=ssl:handshake

And where would I view the debug output? This would have been really useful in relation to this issue?

5

Nando, I tried this with no luck. In the end I found out that only CF10 update 17 and CF11 contain the updated JSafeJCE cypher suite. I ended up installing CF11 and everything worked again. On my production server, I uninstalled Railo 4.2+ and did a clean install of Lucee 4.5. And everything worked again.

By the way, the link you added to Ben Nadel’s blog, is very interesting. That guy is great. Easy to understand…

Thanks for your suggestion anyway.

6

Thanks Pete for this answer.

I actually tried this fix, without success and a similar one suggested by Raymond Camden:

Infact, PayPal’s new security policy requires JSafeJCE. CF10 update 17 & CF11 have a more extensive set of cyphers in the JSafeJCE suiite than previous versions. These are required for PayPal’s RESTFUL API.

The only solution was to install CF11, as my CF10 updater kept throwing update installer errors.

On my remote server, I tried updating Railo 4.2+ to Lucee 4.5. The update was successful, but the JRE was not fully updated, but did not break the application server.
In the end, I tried a clean install of Lucee 4.5, and my PayPal connection was restored successfullly once more.

But, I guess different problems require slightly different solutions!

Cheers anyway for your help…