Copy link to clipboard
Copied
I'm using a HostNexus CF server (CF10 Enterprise v10.0.14.291717 running on Windows Server 2012 R2 with jvm v1.8.0_172C). I am sucessfully using Amazon SES for email using CFMail to Amazon's SES SMTP gatway. I use the useTLS = "yes" option in the CFMail tag.
Amazon is upgrading to TLS v1.2 and is sending me warnings that my SES connections are using TLSv1 and will no longer be supported within a few weeks.
Since the server is not on my network, I don't know how I can troubleshoot to see the TLS version that CFMail is connecting with, and attempt to get it to use TLS V1.2.
I did a trouble ticket to the provider, but it seems they don't have any idea for how to proceed (i.e., Restarted mail services from our end. Can you please check now.).
Anyone have any ideas of what to try on my end, or what the provider can try on their end to get me to TLS v1.2?
Thanks,
Marty M
Copy link to clipboard
Copied
You said you are using CF10. May I ask what Java version are you using? because I believe CF10 shipped with Java 6 and that will not support tls 1.2
I believe v7 was the first that supported tls 1.2 and java 8 which is the highest you can go on CF10 has tls 1.2 as default. So if you are still running Java 6 on your CF10 install that likely would have to be upgraded.
As a side note, you will also start running into problems in the future with the Windows Server 2012 as it will not support tls 1.3.
Another important note to be mindful of. Just because you have tls 1.2 there are other issues in that there are many ciphers included in each tls version. So as the companies you are connecting to via cfmail or cfhttp start upgrading they may start refusing your connections. Most will give advanced notice of this but it is hard, especially if you have a ton of servers to start upgrading both Windows and CF at the same time. There are code changes required in some cases to your application between CF10 and the newest CF. So not only are up upgrading Windows but the app server as well and potentially many coding changes to make it all work correctly.
In the short term, you can likely get it going but just going to keep it in mind for the future so you don't get caught off guard.
Copy link to clipboard
Copied
The server is using jvm v1.8.0_172C.
I'm trying to figure out what I can do to check the TLS version that CFMail is using to connect to the SES SMTP gateway (probably nothing) and what I can suggest the provider can to (as I'm the one that won't be sending any email after SES updates their gateway)...
Copy link to clipboard
Copied
I have the same issue on CF10 java version 1.8.0_171. CFMAIL will only connect with TLSv1
The java argument -Dhttps.protocols=TLSv1.2,TLSv1.2 does work for outbound HTTPS connections, but doesn't seem to have any affect on SMTP connections. Is there another jvm argument that could be used to target mail connections?
Copy link to clipboard
Copied
mail.smtp.ssl.protocols
Copy link to clipboard
Copied
Thanks Charlie!
Adding -Dmail.smtp.ssl.protocols=TLSv1.2 to the JVM arguments did indeed work, and CFMAIL is now connecting on TLSv1.2
Just a reminder to anyone to also ensure that "useTLS" is set to "yes" in your cfmail tag.
Copy link to clipboard
Copied
Great to hear and glad to have helped. As for usetls, I'd not mentioned it as the original post here did. I was just answering your question, about the other jvm argument you needed. Indeed, some will notice I was going for my shortest answer ever. 🙂