ColdFusion Muse

Surviving Poodle - ColdFusion and SSL 3

Mark Kruger November 24, 2014 2:45 PM ColdFusion, Coldfusion Security, Coldfusion Troubleshooting Comments (3)

There's been a great deal of buzz about poodle. Poodle is an SSL exploit capable of highjacking a session using a browser's ability to "negotiate downward" the level of SSL it uses. It's recent prolifieration has put some urgency into the efforts to force existing applications and platforms to deny the use of any standard of SSL less than version 3.0. Super guru Wil Genovese (Trunkful.com) recently did some troubleshooting on a ColdFusion server with an issue related to this necessary configuration step. Wil writes:

We ran into an issue when a company contacted us at CF Webtools because ColdFusion was suddenly no longer able to connect to their email providers mail servers. One day ColdFusion was sending emails to their clients just fine and the next day it was failing. As you know these issues are usually best resolved by asking "What changed?" As far as the client knew, nothing had changed - but we knew enough not to stop digging.

Read More
  • Share:

Related Blog Entries

3 Comments

  • Gary F's Gravatar
    Posted By
    Gary F | 11/25/14 2:41 PM
    I've gone through the SSL3 and CF8 CFHTTP problems recently. We disabled SSL3 on our servers to mitigate Poodle risks. I spent a whole day trying to upgrade Java store certificates for CF8 to connect to https sources, but CF just refused to use the new certs. So I gave up and now we're cfexecuting CURL commands instead which effortlessly using certs from a bundle. Very simple to set up, no installation required.
    CURL with SSL (Win x64) http://curl.download.nextag.com/download/curl-7.21...
    Bundle of CA public keys: http://curl.haxx.se/ca/cacert.pem (rename this file to curl-ca-bundle.crt and put in same directory as curl.exe)

    It's not always practical for CF8 users to upgrade due to new bugs introduced in CF9/10/11. Keep in mind that enterprise users of CF8 have perfected, secured and totally stabalised this version through various means over the years. Upgrading to the latest release poses a genuine risk of uncovering new problems. But at some point it will have to happen.
  • Mark Kruger's Gravatar
    Posted By
    Mark Kruger | 11/25/14 4:30 PM
    @Gary,

    Hey - that's a great tip! I totally agree with you about upgrading. I hate it when people (usually folks with a simple web site) act like moving to the next version is like flipping a switch. I can be an enormous project for many applications.
  • Wil Genovese's Gravatar
    Posted By
    Wil Genovese | 11/26/14 1:13 PM
    So far I have yet to make CF8.0.1 (fully patched) and Java 1.6.0_45 fail using CFHTTP over SSL when SSLv3 is disabled at the remote server. It always uses TLS1.0 Which is the default method for Java 1.6.

    I'm using Wireshark to monitor which protocol is used for the handshake so I am certain of what is used.
Google Search
Google
Subscribe
Enter your email address to subscribe to this blog.
Recent Comments
  • Remembering Wil Genovese
    Mary Jo said: Wil's presence here will be sorely missed. We became good friends over the years and I will miss our... [More]
  • Remembering Wil Genovese
    charlie arehart said: Very sad news, and a real loss for the CF community which was blessed with so much of his knowledge ... [More]
  • Remembering Wil Genovese
    Mark A Kruger said: @Mike, Ha - yes! He was always a hoot at staff meetings. :) To be clear to the rest of the world ... [More]
  • Remembering Wil Genovese
    Mike Letson said: On several occasions, Will led me through deep technical waters that enabled me to serve my clients ... [More]
  • Remembering Wil Genovese
    Russ said: Rest in Peace man, my condolences to the family. Cancer seems to kill so many people now. :-( Both ... [More]
Archives By Subject
Twitter
    Facebook
    Aggregators


    Subscribe in NewsGator Online

    Add to Google
    RSS