http://coldfusion.com logo
Join Slack
Powered by
I'm gettting cmdbox failures reaching out to any e...
# box-products
r
I'm gettting cmdbox failures reaching out to any endpoint for https://www.foregebox.io while working on a client's remote desktop. The JSON returns correctly when checking the links in the web browser. I was looking at the following thread (https://groups.google.com/a/ortussolutions.com/g/commandbox/c/xYE-BezUZoc), but everything returned in cmdbox returns a connection failture. I'm currently using v5.9.0+00721. I appreciate any suggestions ๐Ÿ™‚
b
I would suspect some sort of HTTP proxy is required to access the internet and this proxy is configured in their web browser, but not in CommandBox.
Either that or a WAF/firewall is blocking requests
r
I was thinking firewall, possibly. I'll see if there is a proxy in the browser that I can use in cmdbox. Thanks, Brad!
I finally got a reply from IT on this. They said that there are no restrictions. I also check the browser for any sort of proxy and there isn't any sort of proxy set up. Weird...
b
Make an HTTP connection to the same URL with throwerror set to true and see if you get an exception
Could be an SSL error
r
Got the following error.
Copy code
"Unknown host: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
b
Well, there you go
Lucee's trust store doesn't trust cert presented by the server
I assume this site is using a self-signed cert or your firewall is doing some sort of SSL snooping
OH wait, it's forgebox.
So proolly ssl snooping
Run this
Copy code
โฏ #sslcertificatelist <http://forgebox.io|forgebox.io>
[
    {
        "subject":"CN=<http://sni.cloudflaressl.com|sni.cloudflaressl.com>, O=\"Cloudflare, Inc.\", L=San Francisco, ST=California, C=US",
        "issuer":"CN=Cloudflare Inc ECC CA-3, O=\"Cloudflare, Inc.\", C=US"
    },
    {
        "subject":"CN=Cloudflare Inc ECC CA-3, O=\"Cloudflare, Inc.\", C=US",
        "issuer":"CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE"
    }
]
and tell me if your output is any different?
r
i found the following trick you mentioned to someone in a forum and it is working so far! Thanks, Brad ๐Ÿ™‚
Copy code
#sslcertificateinstall <http://forgebox.io|forgebox.io>
b
Right, but can you still run what I told you to run above?
I want to see what the issue was
@ryan
r
Certainly will, I have to take my kids to tennis and will do that when I get back tonight
@bdw429s The following is the response from the cert list function.
Copy code
โฏ #sslcertificatelist <http://forgebox.io|forgebox.io>
[
    {
        "subject":"CN=<http://sni.cloudflaressl.com|sni.cloudflaressl.com>, O=\"Cloudflare, Inc.\", L=San Francisco, ST=California, C=US",
        "issuer":"CN=\"Zscaler Intermediate Root CA (<http://zscalertwo.net|zscalertwo.net>) (t) \", OU=Zscaler Inc., O=Zscaler Inc., ST=California, C=US"
    },
    {
        "subject":"CN=\"Zscaler Intermediate Root CA (<http://zscalertwo.net|zscalertwo.net>) (t) \", OU=Zscaler Inc., O=Zscaler Inc., ST=California, C=US",
        "issuer":"EMAILADDRESS=support@zscaler.com, CN=Zscaler Intermediate Root CA (<http://zscalertwo.net|zscalertwo.net>), OU=Zscaler Inc., O=Zscaler Inc., ST=California, C=US"
    },
    {
        "subject":"EMAILADDRESS=support@zscaler.com, CN=Zscaler Intermediate Root CA (<http://zscalertwo.net|zscalertwo.net>), OU=Zscaler Inc., O=Zscaler Inc., ST=California, C=US",
        "issuer":"EMAILADDRESS=support@zscaler.com, CN=Zscaler Root CA, OU=Zscaler Inc., O=Zscaler Inc., L=San Jose, ST=California, C=US"
    }
]
b
So you can blame your sysadmin ๐Ÿ™‚
Tell them to quit snooping on your ssl traffic!
Your firewall is swapping out the ssl cert on extends sites to one that allows them to spy on all your https traffic
Your sysadmins auto-add your firewall's root cert to your Windows trust store so your browser works.
But java has its own trust store
Make did they feel guilty about this invasive network hack they neglected to tell you about ๐Ÿ˜‰๐Ÿ˜‚
r
Are they technically allowed to do that?
b
ยฏ\_(ใƒ„)_/ยฏ
r
It's a remote desktop
b
I'm sure it's in your fine print
r
completely controlled environment
I would much rather not be working on a RD, but that's what they wanted
b
But yeah, they're totally tampering with stuff
r
With the cert install function, it made it work though
b
Well yes, that is the fix
r
does that install override their ability to snoop at least while using commandbox? Lol
b
But when you asked them if the firewall requires anything special and they said โ€œnoโ€œ, they were wrong
No
๐Ÿ‘๐Ÿผ 1
r
damn
b
It just trusts their snooping, lol
r
Lol
b
Let me know what your sysadmins say when you tell them it was their fault ๐Ÿ˜
In the wild, that's known as a โ€œman in the middleโ€œ attack, and there's a reason the request is rejected!
r
interesting, i think I read a comment somewhere with you mentioning "man-in-the-middle attack"
thanks, brad. appreciate your help!
๐Ÿ‘ 1
Open in Slack
PreviousNext
Powered by