CF8, SSL, Firefox 3

Hi all,

I am using the developer's edition of CF 8.0.1 (latest, just re-downloaded it today) on OS X 10.5.4, and I am running into a problem with SSL and localhost on it. I installed CF using the built-in JRUN server, everything is default, single server installation, and when I set up SSL, everything is fine if I am going to it using https://127.0.0.1:9100.  However, if I try to use https://localhost:9100 from Firefox 3, I get this error message on my cfserver.log

error Can only accept connection from 127.0.0.1, attempted from 0:0:0:0:0:0:0:1%0
java.io.IOException: Can only accept connection from 127.0.0.1, attempted from 0:0:0:0:0:0:0:1%0
        at jrun.servlet.network.NetworkService.accept(NetworkService.java:393)
        at jrun.servlet.http.SSLService.accept(SSLService.java:70)
        at jrun.servlet.http.SSLService.createRunnable(SSLService.java:123)
        at jrunx.scheduler.ThreadPool$DownstreamMetrics.createRunnable(ThreadPool.java:287)
        at jrunx.scheduler.ThreadPool$ThreadThrottle.createRunnable(ThreadPool.java:349)
        at jrunx.scheduler.ThreadPool$UpstreamMetrics.createRunnable(ThreadPool.java:241)
        at jrunx.scheduler.WorkerThread.run(WorkerThread.java:62)


and Firefox 3 gives this error message:

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)



What's strange is that this error occurs ONLY when I am using Firefox 3 and Safari 3.1.2, but Firefox 2 and Camino will not trigger this error.  Anybody know what's going on?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: http://www.houseoffusion.com/groups/CF-Server/message.cfm/messageid:6674
Subscription: http://www.houseoffusion.com/groups/CF-Server/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.10

Joe Lee wrote:
> I am using the developer's edition of CF 8.0.1 (latest, just re-downloaded it today) on OS X 10.5.4, and I am running into a problem with SSL and localhost on it. I installed CF using the built-in JRUN server, everything is default, single server installation, and when I set up SSL, everything is fine if I am going to it using https://127.0.0.1:9100.  However, if I try to use https://localhost:9100 from Firefox 3, I get this error message on my cfserver.log
>
> error Can only accept connection from 127.0.0.1, attempted from 0:0:0:0:0:0:0:1%0
> java.io.IOException: Can only accept connection from 127.0.0.1, attempted from 0:0:0:0:0:0:0:1%0

> and Firefox 3 gives this error message:
> Cannot communicate securely with peer: no common encryption algorithm(s).
> (Error code: ssl_error_no_cypher_overlap)

Apparently your SSL certificate is only bound to 127.0.0.1 (IPv4
loopback) and not to ::1 (IPv6 loopback) in your JRun configuration.
Either update your JRun config so the cert is used for all IP addresses,
change your FF config not to prefer IPv6 over IPv4 or change your hosts
file to point localhost to the IPv4 loopback.


> What's strange is that this error occurs ONLY when I am using Firefox 3 and Safari 3.1.2, but Firefox 2 and Camino will not trigger this error.  Anybody know what's going on?

FF2 doesn't default to IPv6.

Jochem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: http://www.houseoffusion.com/groups/CF-Server/message.cfm/messageid:6676
Subscription: http://www.houseoffusion.com/groups/CF-Server/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.10

> Apparently your SSL certificate is only bound to 127.0.0.1 (IPv4
> loopback) and not to ::1 (IPv6 loopback) in your JRun configuration.
> Either update your JRun config so the cert is used for all IP
> addresses,
> change your FF config not to prefer IPv6 over IPv4 or change your
> hosts
> file to point localhost to the IPv4 loopback.
>

That's an amazingly quick response for something I haven't been able to find an answer for in several weeks of passive googling.  In other words, my tired fingers thank you.  After I digested what you wrote, I went to look for the attributes to use in jrun.xml to make this work, and I came upon this post:

http://www.bpurcell.org/blog/index.cfm?mode=entry&entry=1064

My config was missing the bindAddress, interface, and clientAuth attributes, and after I had plugged all those in (probably did not need all 3 though), it worked like a charm.

>
> FF2 doesn't default to IPv6.
>

So that's what it was.  I'll keep this mind for future reference.  Thanks again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: http://www.houseoffusion.com/groups/CF-Server/message.cfm/messageid:6677
Subscription: http://www.houseoffusion.com/groups/CF-Server/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.10