My Day job's production servers are based on Apple X-Serve and OSX as the operating system.
In a bid to get greater service stability last week we decided to roll out the latest system updates, notably upgrading to OSX 10.5.7
We rolled out first to our staging server which is effectively a mirror of production setup, it went smoothly and we tested our several critical apps and all seemed fine.
So we also ran all the additional system minor updates including Apples Java Update 4, as running this on my dev machine had resolved several issues with the java imaging libraries crashing the server while trying to process images with certain colour profiles etc.
Again all seemed good, so we rolled out to the live server. All went fine, or so we thought.
Co-incidently around this time i was experimenting on my dev machine (also 10.5.7 with java updater 4) with recently released google API components without much luck, i was constantly getting "I/O Exception: peer not authenticate" error when trying to connect to googles API. I thought it's just my machine playing up again...
A few days later clients using two seperate applications reported general application errors, after some digging around i traced both errors to CFHTTP calls in each application.
I tested the urls in the browser on the server and both were responding as expected... strange i thought...
So i noticed that both were SSL URLs and the error was "I/O Exception: peer not authenticate", which i then immediately connected back to the troubles i had connecting to googles API on my dev box. After some research on that error, it appeared that previously this error occured with connections to SSL URLs with certs issued by intermediate CAs which weren't present in the trusted CA keystore in the JVM. But google and our other API providers were using the most expensive CA's (thawte, verisign, etc) top level certs, which were definitely present by JVM 1.6 so this couldn't be the same issue.
At this point i asked a co-worker who was only on Java Update 3 to try the same code, or really a CFHTTP to any SSL URL. It worked as expected without error. Bugger.
Unfortunately apples java updates work via patching so there is no rollback or uninstall! In desperation we tried a developer preview of java update 5 on the also broken staging server, with the result that coldfusion no longer even starts up at all :(
So the only resolution was to restore our 10.5.2 pre-update backup and then re-upgrade to 10.5.7 without applying the java update 4.
This worked. We are happy for now! But i'd love to know the solution for this update 4 issues as my dev machine is still broken until i can find time to format and reinstall everything...
So, is anyone out there running OSX 10.5.7 and applied java update 4 and connect CFHTTP calls to SSL servers?
Please let me know!
Jul 28, 2009 at 10:02 PM Why not edit your jvm.config file to point it at a different JVM? You don't have to use the system default JVM.
Jul 28, 2009 at 10:07 PM ok as far as i'm aware and anyone is welcome to correct me, the only JVMs on mac are the apple ones, if you go to sun.com all you get is a link to apple's update site.
now the problem with apples java updaters is they patch all the versions on the machine, so while you can switch between 1.4.x, 1.5.x, and 1.6.x they all had the same patching of something that broke CF.
I had confirmed this, which i forgot to mention. By switching to the different JVMs, all were broken
Aug 4, 2009 at 2:00 AM I am having similar issues, however, I have checked with others who also ran the update who are not having issues.
Have you made any head way in this?
Aug 4, 2009 at 8:41 AM hmm that's quite interesting then Scott, i'm at a loss... as i was able to recreate it exactly on three different machines with the breaking point being that update...
no headway i'm afraid, my dev machine is still broken and i'm planning on reformatting at some point to resolve it, i'm currently not working on anything that requires cfhttp so it's not urgent at the moment.
Please post a comment here if do you find a solution as i'd much prefer to fix than format.
Aug 28, 2009 at 10:15 PM FWIW - if I set my Java Preferences in OS X to use Java 5 first then restart the server the problem is resolved.
Aug 28, 2009 at 10:30 PM i just tried that again after your comment and still no good, my hopes lie with snow leopard at this point! will install it this week
Aug 29, 2009 at 3:46 AM That is odd, becasue when I switch back and forth from Java 5 and Java 6 using Java Preferences, I can make the issue gets resolved in Java 5 and reappears in Java 6.
Aug 29, 2009 at 3:49 AM Also, I just checked and I am running 10.5.8 of OS X
Aug 29, 2009 at 10:43 AM hmm i'm on 10.5.8 too :( ah well, i'll post results when i upgrade to 10.6