9 Replies Latest reply on May 15, 2017 3:48 PM by Jamo

    Coldfusion MX 6.1 TLSv 1.1

    Movak

      Is it possible to use TLSv 1.1 on Coldfusion MX 6.1? If so how can I do it?

       

      Any help would be appreciated.

      Thanks,

      Joe Klovance

        • 1. Re: Coldfusion MX 6.1 TLSv 1.1
          haxtbh Level 4

          TLS will depend on the underlying operating system as well. You will need Windows 7 / 2008 R2 to have it available.

           

          v1.1 is available from Java 1.8 on CF10 and 1.7 on CF 11.

           

          So no is the answer

          • 2. Re: Coldfusion MX 6.1 TLSv 1.1
            Movak Level 1

            TLS 1.1 is also available on JRE 1.6.0_111. I am also talking a linux install not Windows.

            • 3. Re: Coldfusion MX 6.1 TLSv 1.1
              WolfShade Level 4

              I hate to be the party pooper, here, but unless your CF installation is strictly intranet (ie, not public-facing), then you want to seriously consider upgrading to AT LEAST CF10.

               

              MX6 is so old that not only are you missing out on some nice features but you're also gambling with your site/app security.  While the *nix platform will help with that, a public-facing MX6 install (really anything less than CF10) could be more vulnerable to malicious activities.  Even if you use USG DoD security measures.

               

              Just a thought.

               

              V/r,

               

              ^_^

              • 4. Re: Coldfusion MX 6.1 TLSv 1.1
                Jamo Level 2

                I noted that you stated you were using Linix, not Windows... but for anyone that visits this post using Windows and ColdFusion 3.1, 4.5, 5, 6, 7, 8, 9, 10, 11 or 2016, I recommending using Abiadata's CFX_HTTP.

                Adiabata, Inc. - CFX_HTTP5http://adiabata.com/cfx_http5.cfm

                 

                FYI:  Authorize.Net plans to disable TLS 1.0 and TLS 1.1 by September 18, 2017.  This will cause problems for anyone running ColdFusion 3-9 (and potentially CF10.)   CFX_HTTP5 has a feature that enables you specify which protocols to use.  (We use SSL="5" to force all HTTP Posts to to use TLS1.2.)

                • 5. Re: Coldfusion MX 6.1 TLSv 1.1
                  haxtbh Level 4

                  Update to 1.6 if you can manage it but as far as Im aware its not supported.

                  • 6. Re: Coldfusion MX 6.1 TLSv 1.1
                    Jamo Level 2

                    It's not... and even if you do update ColdFusion 6, 7, 8 or 9 to the highest Java version and CF patch, it's pretty difficult (or impossible) to force ColdFusion/Java to use newer versions of TLS during the handshake.  For example, We were able to configure a higher TLS version in Java, but ColdFusion 9 still automatically used the lowest compatible protocol.

                     

                    You may want to use CFExecute and use CURL.  It also has newer features than CFMX6's CFHTTP and is available for every OS/platform.

                    https://curl.haxx.se/

                    • 7. Re: Coldfusion MX 6.1 TLSv 1.1
                      BKBK Adobe Community Professional & MVP

                      Movak  wrote

                       

                      Is it possible to use TLSv 1.1 on Coldfusion MX 6.1?

                      You can answer the question yourself. The earliest version of Java to support TLS 1.1 is 1.6.0_111. So, can you get your Coldfusion MX 6.1 installation to run on Java 1.6.0_111?

                      • 8. Re: Coldfusion MX 6.1 TLSv 1.1
                        Movak Level 1

                        I worked it out. I had to do the following;

                        1. Upgrade the curl on the server to 7.24 (had to build it)
                        2. Write a temp script file with the Curl command (to get around CFHTTP issue with multiple parameters)
                        3. Execute the script using CFEXECUTE

                        The only problem now is that the script file hangs around. I have tried to use CFFILE action="delete" but I get no errors but the file stays. The file name is the same as when I write the script.

                        • 9. Re: Coldfusion MX 6.1 TLSv 1.1
                          Jamo Level 2

                          ColdFusion likes to maintain locks on files for some weird reason.  I used to encounter the same problem when manipulating image files.

                           

                          Make sure you add a UUID to the filname creating the temporary BAT file.  Execute it from a non-publicly accessible temp directory and then schedule another script to delete old files.