ColdFusion Muse

So it's only SSLv3 we need to worry about on default settings?

What about running these tests against Railo? It would be interesting to see those results as well.

@Damon, I love that idea. I'm not sure we have every Railo version in a test bed. I'll see.

Currently is only SSLv3 that we are worried about. Older versions of SSL are already deprecated and Java 1.6, 1.7 and 1.8 won't don't allow the ssl2 protocol.

However, we are investigating a newly discovered flaw similar to POODLE in the various TLS versions being. So the older TLS protocols may be next for removing from use.

I was speaking with a rep at our host today (big CF host), and he mentioned that there was a cfhttpparam (I'm guessing type header) that could be added to determine the order of TLS authentication used for ColdFusion 9.02 on JVM 1.7.

Is anyone aware of such a header?

Seth

TLS 1.1 and 1.2 can evidently be enabled on Java 1.7 via the Configure Java option.

In Windows:
1. Click Windows Start button
2. Choose Programs : Java : Configure Java
3. Click on the Advanced tab
4. Near the bottom, check the checkboxes for TLS 1.1 and TLS 1.2

I was trying to fix this for a SalesForce.com API call. We got an error about "Content is not allowed in prolog", but according to the SF TLS Help page, that means it is actually working correctly.

https://help.salesforce.com/HTViewSolution?id=0002...

I forgot to mention that the server we tested this on is running CF 9.

Worth a shot, thanks!

It seems that CF10 Update 18 takes -Dhttps.protocols into account.

Hello Mark, I realize I'm late to the game on this subject. But hopefully you can provide a little guidance. I've been getting the following TLS error when attempting to connect to Salesforce: "TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https". I'm running CF server 9.0 (no hotfix applied -- yet), so I know I definitely need to upgrade, but my question is, which upgrade? From the looks of your chart, I could possibly upgrade 9 which would give me Java 1.7. But again, from looking at your chart, I would need to download Java 1.8 to enable TLS 1.1 (and higher) protocols to work. And even in that scenario (Java 1.8 running on CF 9, with patches) could work, though your not sure about how it might work in production environment. So here's my real ask: Is it worth my time patching CF 9 and installing Java 1.8 in the hopes that it "could" work; or am I better off biting the bullet and upgrading from CF 9 to CF 10 or 11 (or whatever you'd recommend, if this is the scenario you would push). Sorry, I know this turned out to be a big question! Appreciate any insight or thoughts. Thanks!

Also have a few sites on CF8 that I support and beginning to see more issues with CF8 as certificates are coming up for renewal. I started working around it using wget.

Ran down this and some other posts to discover that CF 9 will ignore "-Dhttps.protocols=TLSv1.2" for every version of JDK 7 until JDK 7u171 b31, but then JDK 7u181 enables TLSv1.2 by default.

The only hurdle is that any JDK past 7u80 is behind an Oracle paid support wall. I managed to find someone with access and it tested just fine using PayPal's TLS Test site:

<cfhttp url="https://tlstest.paypal.com/"; result="test">

<cfdump var="#test#">

JDK 8u172 will also work with CF 9.0.2 w/ all hot fixes, but I'd rather not risk the regression testing jumping to the next major version.

It was nearly four years ago when I did this testing and wrote this article. Those Java versions were not available then. And as you pointed out you have to pay for those newer Java 1.7 versions. But I do thank you for that information. It's good to know.

As far as running Coldfusion 9.0.2 fully patched on Java 1.8, I've had mixed results. I never recommend anyone do that, but I've had the chance to work on systems where this has been done and had to troubleshoot issues that we eventually chased down to running on Java 1.8.0_nn.

The best answer is to upgrade ColdFusion versions.