2
votes

I am using ColdFusion 10. How can I specify my connection is TLS 1.1, TLS 1.0, etc. Can I use the cfhttp tag?

How to add TLS 1.2 in cfhttp tag using ColdFusion?

3

3 Answers

7
votes

ColdFusion 10 will handle the TLS 1.2 protocol using CFHTTP without any issues as long as you are running Coldfusion on Java 1.8.0_nn. You need to upgrade your Java version. Also see this article I wrote on which SSL/TLS protocols are usable for each ColdFusion/Java version combinations.

https://www.trunkful.com/index.cfm/2014/12/8/Preventing-SSLv3-Fallback-in-ColdFusion

To install a new Java version I always install the JDK in a non-default location that is only used for ColdFusion. ie C:\java\jdk1.8.0_nn\ This way you know it's for ColdFusion and not for the OS. Of course if you're on Linux then the location would be different, but you'd know that already.

Regards, Wil

3
votes

The easiest way that I've found so far to use native CF 10 tags and TLS 1.2 is to upgrade the JDK/JRE to 1.8 on the CF server.

I've been using ColdFusion 10 with Server JRE 1.8 u151 for a while now.

You can download the Server JRE here: http://www.oracle.com/technetwork/java/javase/downloads/server-jre8-downloads-2133154.html

For my Windows Server, I just unzip/tar the server-jre-8u151-windows-x64.tar.gz file to "C:\Program Files\Java". This creates a folder named jdk1.8.0_151.

  1. Log into your CF Administrator
  2. Server Settings > Java and JVM
  3. Set [Java Virtual Machine Path] to C:/Program Files/Java/jdk1.8.0_151/jre
  4. Add this phrase to [JVM Arguments]: -Dhttps.protocols=TLSv1.2
  5. Submit Changes

After you restart ColdFusion, it will now be using Server JRE 1.8u151 and force SSL to use TLS 1.2.

2
votes

I've been performing TLS 1.2 connections using ColdFusion 4.5, 5.0, 6MX, 7, 8, 9, 10, 11 & 2016 using CFX_HTTP5, a C/C++ tag (0% Java; 0% COM; 0% MFC). http://www.adiabata.com/cfx_http5.cfm

PayPal is in the process of upgrading their API endpoints to allow only TLS 1.2 and HTTP/1.1 connections. https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US

The only way I could connect to https://tlstest.paypal.com/ was to use CFX_HTTP5 w/CF9 & 10 was to set SSL="5". CFX_HTTP5 also enables you to specify which protocol version to use per-request. It's not a setting that is enabled and forced on all connections... no guessing, interfering w/other website requirements hosted on same server or need to restart the server when changing protocols.

SSL =
0 - SSL3 and TLS1;
1 - SSL2;
2 - SSL3;
3 - TLS1;
4 - TLS1.1;
5 - TLS1.2;

I've also encountered situations where SSL certificates are temporarily invalid due to accidental expiration. In those cases, CFX_HTTP5's SSLERRORS="OK" flag enabled me to consume the API while ignoring the temporary certificate error. (I don't believe that ColdFusion can do this.)