SSL stopped working after upgrading to 5.1

Communities CommandBox CLI
1

I was on Commandbox 5.0.XXX (not sure exact version) and had SSL working for the past month or so without issue. I followed a guide on How to Get HTTPS Working in Windows 10 Local Dev Environment to get the SSL certs setup.

Today I decided to upgrade Box to the latest version and then started the server and am having issues with SSL working now.

CommandBox Version: 5.1.1+00191

  • CFML Engine: Lucee

  • CFML Version: 5.3.6.61 stable (Gelert)

  • Java Version: 1.8.0_261 (Oracle Corporation)

  • JLine Terminal org.jline.terminal.impl.jansi.win.JansiWinSysTerminal

  • Runwar Version 4.1.2 (C:\Users******\Utilities\CommandBox\lib\runwar-4.1.2.jar)

My server.json file is setup like this, and has been working.

“SSL”:{
“enable”:true,
“port”:443,
“certFile”:"…/config/ssl/research.local.crt",
“keyFile”:"…/config/ssl/research.local.key"
},

If I turn off SSL the site loads fine, but if I turn it on I get the follow error on startup and the site doesn’t load over https. I went through the guide again and re-generated my SSL certificates just in case something happened there, but it didn’t help.

[TRACE] org.xnio.listener: Invoking listener Delegating channel listener -> Accepting listener for io.undertow.server.protocol.http.HttpOpenListener@2ce60024 on channel TCP server (NIO) <69e48bdc>
[TRACE] org.xnio.listener: Invoking listener Accepting listener for io.undertow.server.protocol.http.HttpOpenListener@2ce60024 on channel io.undertow.protocols.ssl.UndertowAcceptingSslChannel@3cf5097f
[TRACE] org.xnio.listener: Invoking listener io.undertow.server.protocol.http.HttpOpenListener@2ce60024 on channel io.undertow.protocols.ssl.UndertowSslConnection@7b2ae56b
[TRACE] io.undertow.request: Opened connection with /127.0.0.1:64735
[TRACE] org.xnio.nio.selector: Beginning select on sun.nio.ch.WindowsSelectorImpl@71d28e1b (with timeout)
[TRACE] org.xnio.nio.selector: Selected on sun.nio.ch.WindowsSelectorImpl@71d28e1b
[TRACE] org.xnio.nio: Running task io.undertow.protocols.ssl.SslConduit$5$1@f5c1d28
[TRACE] org.xnio.nio: Running task io.undertow.protocols.ssl.SslConduit$2@2371b015
[TRACE] org.xnio.listener: Invoking listener io.undertow.server.protocol.http.HttpReadListener@5e079b25 on channel org.xnio.conduits.ConduitStreamSourceChannel@79705780
[TRACE] org.xnio.nio.selector: Beginning select on sun.nio.ch.WindowsSelectorImpl@71d28e1b (with timeout)
[TRACE] org.xnio.nio.selector: Selected on sun.nio.ch.WindowsSelectorImpl@71d28e1b
[TRACE] org.xnio.nio.selector: Selected key sun.nio.ch.SelectionKeyImpl@7f156e51 for java.nio.channels.SocketChannel[connected local=/127.0.0.1:443 remote=/127.0.0.1:64735]
[TRACE] org.xnio.listener: Invoking listener io.undertow.server.protocol.http.HttpReadListener@5e079b25 on channel org.xnio.conduits.ConduitStreamSourceChannel@79705780
[TRACE] org.xnio.nio.selector: Beginning select on sun.nio.ch.WindowsSelectorImpl@71d28e1b (with timeout)
[TRACE] org.xnio.nio.selector: Selected on sun.nio.ch.WindowsSelectorImpl@71d28e1b
[TRACE] org.xnio.nio: Running task io.undertow.protocols.ssl.SslConduit$5$1@38755b03
[TRACE] io.undertow.request.io: Exception closing read side of SSL channel
javax.net.ssl.SSLException: closing inbound before receiving peer’s close_notify
at sun.security.ssl.Alert.createSSLException(Unknown Source)
at sun.security.ssl.Alert.createSSLException(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.SSLEngineImpl.closeInbound(Unknown Source)
at io.undertow.protocols.ssl.SNISSLEngine.closeInbound(SNISSLEngine.java:116)
at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612)
at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:1020)
at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1118)
at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:820)
at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:648)
at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1084)
at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:582)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:466)
[TRACE] org.xnio.listener: Invoking listener io.undertow.server.AbstractServerConnection$CloseSetter@21feb105 on channel io.undertow.protocols.ssl.UndertowSslConnection@7b2ae56b
[TRACE] org.xnio.safe-close: Closing resource org.xnio.nio.NioSocketStreamConnection@62916199
[TRACE] org.xnio.nio: Cancelling key sun.nio.ch.SelectionKeyImpl@7f156e51 of java.nio.channels.SocketChannel[connected local=/127.0.0.1:443 remote=/127.0.0.1:64735] (same thread)
[ERROR] io.undertow.request: Closing SSLConduit after exception on handshake
javax.net.ssl.SSLHandshakeException: Could not generate secret
at sun.security.ssl.ECDHKeyExchange$ECDHEKAKeyDerivation.t13DeriveKey(Unknown Source)
at sun.security.ssl.ECDHKeyExchange$ECDHEKAKeyDerivation.deriveKey(Unknown Source)
at sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(Unknown Source)
at sun.security.ssl.SSLHandshake.produce(Unknown Source)
at sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(Unknown Source)
at sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(Unknown Source)
at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unknown Source)
at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown Source)
at sun.security.ssl.SSLHandshake.consume(Unknown Source)
at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown Source)
at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1072)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.InvalidKeyException: Invalid key
at com.rsa.cryptoj.o.mc.a(Unknown Source)
at com.rsa.cryptoj.o.mc.engineInit(Unknown Source)
at javax.crypto.Mac.init(Mac.java:413)
at sun.security.ssl.HKDF.extract(Unknown Source)
at sun.security.ssl.HKDF.extract(Unknown Source)

Earlier in the start output I see the SSL being setup and appears to be correct. Removed some info with ***.

[INFO ] Runwar: Enabling SSL protocol on port 443
[DEBUG] Runwar: disabling com.sun.net.ssl.enableECC
[DEBUG] Runwar: Creating SSL context from cert: [C:\Users*\config\ssl\research.local.crt] key: [C:\Users*\config\ssl\research.local.key]
[DEBUG] Runwar: Using default store passphrase of ‘password’
[TRACE] org.xnio.safe-close: Closing resource java.io.FileInputStream@42f93a98
[TRACE] org.xnio.safe-close: Closing resource java.io.DataInputStream@c46bcd4
[TRACE] org.xnio.safe-close: Closing resource java.io.FileInputStream@3234e239
[TRACE] org.xnio.safe-close: Closing resource java.io.DataInputStream@3d921e20
[DEBUG] Runwar: One certificate, no chain:
[DEBUG] Runwar: X.509 certificate, public key [ RSA ] C=US,ST=New York,L=,O=,OU=RIS,CN=research.local,E=***
[DEBUG] Runwar: Adding key to store - alias:[serverkey] type:[RSA PKCS#8] passphrase:[********] certs in chain:[1]
[DEBUG] Runwar: UsingTSL
[DEBUG] Runwar: host:research.local
[DEBUG] Runwar: Creating SNI SSL context for hosts: [research.local]

Any ideas on what might have happened? Not sure how else to test this, or what’s causing the issue. Thanks.

2

I finally figured out the reason. I was using an external JRE. Shown above:

1.8.0_261 (Oracle Corporation)

It was upgraded right before SSL broke. It appears Commandbox isn’t fully compatible with that. I tried downgrading commandbox (without JRE) all the way to 4.6 and it still didn’t work. I finally tried the latest version with the JRE included and it worked again! Lesson learned. Just stick with the built in JRE.