I recently ran into a little issue with making remoting calls from ColdFusion over SSL, where the SSL is being handled by a hardware load balancing device with SSL acceleration. The issue wasn't experienced during Dev or Test simply because neither of those environments are behind a Load Balancer (best practice would dictate that at the very least Test should be, but these devices ain't exactly cheap and whilst we could set up a second load balancer pool on the same device to sit in front of Test, there is a complete separation between the different environments).

Now, there are actually quite a few blog posts out there that clearly explain how to get remoting working over SSL. However, all these posts detail the step(s) to be taken when using your web server to handle SSL.

I've linked to a post by Barney Boisvert, who covers just this point: http://www.barneyb.com/barneyblog/2007/09/01/flex2-and-3-remoteobjects-over-ssl-with-coldfusion/

The image below also shows how the request works when your Web Server handles the SSL




However, the small but subtle difference between your web server and a hardware load balancing (HLB) device handling the SSL, is that the HLB will decrypt the request and then pass on the decrypted message to your web server (i.e. over HTTP rather than HTTPS).

So you end up with what's shown below. Ultimately, the client request is indicating that it wants to talk to the secure end point, but the request itself is no longer secure (due to being decrypted by the HLB), so when the secure end point finally receives the request it gets all grumpy and rejects the request.


The solution is actually incredibly simple. You can either compile your app using different service-config.xml files; one for Dev/Test and one for Production, or you can just modify the service-config.xml file on Production to always point to the non-secure class.

So, in your services-config.xml file you would change:

<channel-definition id="my-cfamf-secure" class="mx.messaging.channels.SecureAMFChannel">
     <endpoint uri="https://{server.name}:{server.port}{context.root}/flex2gateway/cfamfsecure/" class="flex.messaging.endpoints.SecureAMFEndpoint"/>
          <properties>
                <polling-enabled>false</polling-enabled>
                <serialization>
                    <instantiate-types>false</instantiate-types>
                </serialization>
                <add-no-cache-headers>false</add-no-cache-headers>
          </properties>
</channel-definition>


TO:

<channel-definition id="my-cfamf-secure" class="mx.messaging.channels.SecureAMFChannel">
     <endpoint uri="https://{server.name}:{server.port}{context.root}/flex2gateway/cfamfsecure/" class="flex.messaging.endpoints.AMFEndpoint"/>
          <properties>
                <polling-enabled>false</polling-enabled>
                <serialization>
                    <instantiate-types>false</instantiate-types>
                </serialization>
                <add-no-cache-headers>false</add-no-cache-headers>
          </properties>
</channel-definition>


So you're simply telling the SecureAMFChannel to point to the non-secure class. It's that simple.