http://coldfusion.com logo
Join Slack
Powered by
Anyone else had issues after upgrading to Java 11....
# adobe
m
Anyone else had issues after upgrading to Java 11.0.17+10-LTS-269 We are getting various errors when making https calls and SQL server calls "Could not derive key" SQL Server: 
"The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: ""Could not derive key"".
CFHTTP: 
I/O Exception: Could not derive key
JMV args: 
-server -Xdebug --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/sun.util.cldr=ALL-UNNAMED --add-opens=java.base/sun.util.locale.provider=ALL-UNNAMED -XX:MaxMetaspaceSize=192m -XX:+UseParallelGC -Djdk.attach.allowAttachSelf=true -Dcoldfusion.home={application.home} -Djava.security.egd=/dev/urandom -Duser.language=en -Dcoldfusion.rootDir={application.home} -Dcom.sun.xml.bind.v2.bytecode.ClassTailor.noOptimize=true -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dorg.eclipse.jetty.util.log.class=org.eclipse.jetty.util.log.JavaUtilLog -Djava.util.logging.config.file={application.home}/lib/logging.properties -Djava.locale.providers=COMPAT,SPI -Dsun.font.layoutengine=icu -Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2" -Dlog4j2.formatMsgNoLookups=true -Dcoldfusion.datemask.useDasdayofmonth=true -Dcoldfusion.xml.allowPathCharacters=true
r
What version of ColdFusion and what SQL driver? I probably don't know the answer but I'd guess support for TLS 1.0, TLS 1.1 , or a cipher suite you have in use was dropped.
m
CF 2021
r
MS SQL? MySQL? Other?
b
I've seen other people with this issue add a JDBC arg to disable SSL for the connection
I'm not sure what the "real" fix is though since I'm not sure what the real issue is, lol
m
MS SQL com.microsoft.sqlserver.jdbc.SQLServerDriver jdbc 9.4
Yeah - this is our DEV server - so we want to get the "correct" answer - not just a hack or work around. Going to remove the TLS 1.0 and 1.1 and see if that solves it. That would make the most sense.
b
Is there a later version of the JDBC driver you can use?
m
b
What version of SQL Server?
Is it on an older machine?
That error appears to be related to and newer and older version of SSL trying to communicate and not agreeing on the algorithms they know
m
So after removing TLS 1.0 and 1.1 (so only 1.2) - the SQL server connections are working but the https is still not working
b
Enabling SSL logging on the JVM would likely provide more info on what went wrong
Also, can you provide the full stack trace
Often times these SSL errors have a "caused by" with the full details at the bottom of the stack
m
hmmm cfhttp requests don't seem to give a full stack trace
message has been deleted
But here was the error from SQL before I removed the TLS 1.0 and 1.1 args
Copy code
"Error","ajp-nio-161.134.126.4-8310-exec-9","11/16/22","11:37:25",LMSADMIN,"Error Executing Database Query.The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: ""Could not derive key"". ClientConnectionId:de355d4c-c115-42bd-a1a0-b35153b4963b The specific sequence of files included or processed is: /web/training/admindocs/ilt/index.cfm, line: 1254 "
coldfusion.tagext.sql.QueryTag$DatabaseQueryException: Error Executing Database Query.
        at coldfusion.tagext.sql.QueryTag.startQueryExecution(QueryTag.java:929)
        at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:821)
        at cfclasslist2ecfm1550090865._factor44(/web/training/admindocs/ilt/eventsLA/classlist.cfm:1254)
        at cfclasslist2ecfm1550090865._factor53(/web/training/admindocs/ilt/eventsLA/classlist.cfm:1247)
        at cfclasslist2ecfm1550090865.runPage(/web/training/admindocs/ilt/eventsLA/classlist.cfm:1)
        at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:257)
        at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:749)
        at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:578)
        at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:5201)
        at cfindex2ecfm1692832110._factor0(/web/training/admindocs/ilt/index.cfm:373)
        at cfindex2ecfm1692832110.runPage(/web/training/admindocs/ilt/index.cfm:1)
        at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:257)
        at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:749)
        at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:578)
        at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)
        at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:613)
        at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43)
        at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
        at coldfusion.filter.PathFilter.invoke(PathFilter.java:162)
        at coldfusion.filter.IpFilter.invoke(IpFilter.java:45)
        at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:97)
        at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
        at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
        at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60)
        at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
        at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
        at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)
        at coldfusion.CfmServlet.service(CfmServlet.java:231)
        at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:311)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:46)
        at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at coldfusion.inspect.weinre.MobileDeviceDomInspectionFilter.doFilter(MobileDeviceDomInspectionFilter.java:57)
        at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:377)
        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:463)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Could not derive key". ClientConnectionId:de355d4c-c115-42bd-a1a0-b35153b4963b
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2670)
        at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1837)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2257)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1921)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1762)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1077)
        at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:623)
        at coldfusion.server.j2ee.sql.pool.JDBCPool.createPhysicalConnection(JDBCPool.java:666)
        at coldfusion.server.j2ee.sql.pool.ConnectionRunner$RunnableConnection.run(ConnectionRunner.java:67)
        ... 1 more
Caused by: javax.net.ssl.SSLException: Could not derive key
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:369)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
        at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1554)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:431)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:388)
        at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1767)
        ... 8 more
Caused by: java.security.ProviderException: Could not derive key
        at <http://jdk.crypto.ec/sun.security.ec.ECDHKeyAgreement.deriveKeyNative(ECDHKeyAgreement.java:272)|jdk.crypto.ec/sun.security.ec.ECDHKeyAgreement.deriveKeyNative(ECDHKeyAgreement.java:272)>
        at <http://jdk.crypto.ec/sun.security.ec.ECDHKeyAgreement.lambda$engineGenerateSecret$0(ECDHKeyAgreement.java:171)|jdk.crypto.ec/sun.security.ec.ECDHKeyAgreement.lambda$engineGenerateSecret$0(ECDHKeyAgreement.java:171)>
        at java.base/java.util.Optional.orElseGet(Optional.java:369)
        at <http://jdk.crypto.ec/sun.security.ec.ECDHKeyAgreement.engineGenerateSecret(ECDHKeyAgreement.java:170)|jdk.crypto.ec/sun.security.ec.ECDHKeyAgreement.engineGenerateSecret(ECDHKeyAgreement.java:170)>
        at <http://jdk.crypto.ec/sun.security.ec.ECDHKeyAgreement.engineGenerateSecret(ECDHKeyAgreement.java:202)|jdk.crypto.ec/sun.security.ec.ECDHKeyAgreement.engineGenerateSecret(ECDHKeyAgreement.java:202)>
        at java.base/javax.crypto.KeyAgreement.generateSecret(KeyAgreement.java:660)
        at java.base/sun.security.ssl.KAKeyDerivation.t12DeriveKey(KAKeyDerivation.java:77)
        at java.base/sun.security.ssl.KAKeyDerivation.deriveKey(KAKeyDerivation.java:61)
        at java.base/sun.security.ssl.ECDHClientKeyExchange$ECDHEClientKeyExchangeProducer.produce(ECDHClientKeyExchange.java:428)
        at java.base/sun.security.ssl.ClientKeyExchange$ClientKeyExchangeProducer.produce(ClientKeyExchange.java:65)
        at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
        at java.base/sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:478)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:456)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:199)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1382)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1295)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:416)
        ... 10 more
Caused by: java.security.InvalidAlgorithmParameterException
        at <http://jdk.crypto.ec/sun.security.ec.ECDHKeyAgreement.deriveKey(Native|jdk.crypto.ec/sun.security.ec.ECDHKeyAgreement.deriveKey(Native> Method)
        at <http://jdk.crypto.ec/sun.security.ec.ECDHKeyAgreement.deriveKeyNative(ECDHKeyAgreement.java:269)|jdk.crypto.ec/sun.security.ec.ECDHKeyAgreement.deriveKeyNative(ECDHKeyAgreement.java:269)>
        ... 29 more
b
I'm confused-- what are you doing with cfhttp requests? I thought this was a question about JDBC!
m
it was failing for both issue
b
I see
That stack trace is very useful. It contains 1000% more information than your original error you reported 🙂
👍🏻 1
I would recommend Googling some of the bits of that error stack trace. The nice thing about most SSL issues is they are experienced by the entire Java world
You can see the root cause is 
InvalidAlgorithmParameterException
which means the client and server can't agree on an algorithm they both support
m
yeah - been doing that for several hours now.
b
Did you see these questions I asked above:
Copy code
What version of SQL Server?
Is it on an older machine?
I assume this will boil down to an old OS or old driver, or old JVM, etc etc somewhere
m
So I am actually connecting to 3 different SQL servers.
b
Also, what host are you connecting to when the cfhttp call fails? Usually SSL errors are specific to the remote host you're connecting to and I assume you're not making HTTP calls to your SQL Server!
m
I would agree except I also need to solve the CFHTTP issue as well - and it is the same error message. I am connecting to AWS REST API's
👍 1
b
Also, what Java provider are you using? Oracle or an openjdk variant?
I also need to solve the CFHTTP issue as well
That's fine, I'm just saying there may be more than one problem and it's hard to narrow down when there are factors we don't know about (testing more than one thing at a time)
👍🏻 1
m
mssql-jdbc-9.4.0.jre8.jar
b
I don't know if it matters, but is there a reason you're using a jre8 jar with Java 11?
m
No particular reason - migrated CF server through many versions and have not thought to update it. But we easily could.
b
This is interesting-- it's actually a CF person. It's a few years old, but worth trying https://stackoverflow.com/a/42380219/2166947
How have you installed ColdFusion?
m
manually
b
Not quite what I mean
How is it deployed?
With the standard installer?
on Tomcat?
On another servlet?
m
download GZ - unzipped and run installer
👍 1
b
Did you answer the question of what versions of SQL Server you were connecting to?
Also, have you tried the SSL debugging I mentioned?
And did you see my question about what JRE you're using?
m
DEV SQL Server:
b
That doesn't show the SQL server version, does it?
m
Version 15 = SQL server 2019
👍 1
Verified all 3 MS SQL servers are the same
b
OK, just wanted to rule out some old version of SQL Server or Windows in the mix
👍🏻 1
m
JRE - using
b
Well, I don't see any obvious issues. SSL debugging is probably the next step, but it's a pain to decipher. At this point you may want to reach out to Adobe's "install" support and ask them.
s
Worth trying a switch to openjdk version of 11 instead of oracle just to check
Sorry just seen the image in better resolution I see you are using openjdk
I agree with Brad re SSL debugging though
m
Ok thanks @bdw429s @salted for your help. For now we went back to 11.0.16.1. We will schedule more time to do some detailed debugging.
b
Hmm, so it's only that latest Java update? This very well may be a bug in Java itself
Or an SSL bit that was removed
m
Yeah that's the only thing we changed last night.
11 Views
Open in Slack
PreviousNext
Powered by