Recently a vendor we work with updated their server to support TLS 1.3 in addition to TLS 1.2 and our CFHTTP calls to their API are now failing with an Errordetail "I/O Exception: www.thevendor.net:443 failed to respond"
- Testing from our server to theirs using java (11.0.10) SSLPoke succeeds.
- Scanning their API endpoint with the SSLLabs testing tool shows no issues.
- Accessing their API endpoint with Chrome browser has no issues.
- If I modify our code to use the CFX_HTTP5 custom tag, the connection succeeds.
- If I add jvm.config flags to force TLS 1.2, the connection succeeds, specifically:
-Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2
If I enable SSL handshake debugging with the jvm flag
-Djavax.net.debug=ssl,handshake,verbose
coldfusion-error.log doesn't show an exception but the last few lines show these lines that I don't see in a successful TLS 1.2 connection:
javax.net.ssl|DEBUG|E1|ajp-nio-127.0.0.1-8020-exec-4|2021-03-30 19:44:22.918 CDT|SSLCipher.java:1994|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|E1|ajp-nio-127.0.0.1-8020-exec-4|2021-03-30 19:44:22.940 CDT|SSLSocketImpl.java:727|close inbound of SSLSocket
javax.net.ssl|DEBUG|E1|ajp-nio-127.0.0.1-8020-exec-4|2021-03-30 19:44:22.941 CDT|SSLSocketImpl.java:761|close outbound of SSLSocket
javax.net.ssl|DEBUG|E1|ajp-nio-127.0.0.1-8020-exec-4|2021-03-30 19:44:22.941 CDT|SSLSocketImpl.java:479|duplex close of SSLSocket
javax.net.ssl|DEBUG|E1|ajp-nio-127.0.0.1-8020-exec-4|2021-03-30 19:44:22.941 CDT|SSLSocketImpl.java:1587|close the SSL connection (passive)
I see the behavior on CF 2016 / 2018 / 2021 with the latest patches, running Java 11.0.10 on Windows Server 2019.
1 Correct answer
26
Replies
AdChoices