Coldfusion MX 6.1 TLSv 1.1

Report · Apr 27, 2017

Is it possible to use TLSv 1.1 on Coldfusion MX 6.1? If so how can I do it?

Any help would be appreciated.

Thanks,

Joe Klovance

Report · Apr 28, 2017

TLS will depend on the underlying operating system as well. You will need Windows 7 / 2008 R2 to have it available.

v1.1 is available from Java 1.8 on CF10 and 1.7 on CF 11.

So no is the answer

Report · Apr 28, 2017

TLS 1.1 is also available on JRE 1.6.0_111. I am also talking a linux install not Windows.

Report · Apr 28, 2017

I hate to be the party pooper, here, but unless your CF installation is strictly intranet (ie, not public-facing), then you want to seriously consider upgrading to AT LEAST CF10.

MX6 is so old that not only are you missing out on some nice features but you're also gambling with your site/app security. While the *nix platform will help with that, a public-facing MX6 install (really anything less than CF10) could be more vulnerable to malicious activities. Even if you use USG DoD security measures.

Just a thought.

V/r,

^_^

Report · Apr 28, 2017

Update to 1.6 if you can manage it but as far as Im aware its not supported.

Report · Apr 28, 2017

It's not... and even if you do update ColdFusion 6, 7, 8 or 9 to the highest Java version and CF patch, it's pretty difficult (or impossible) to force ColdFusion/Java to use newer versions of TLS during the handshake. For example, We were able to configure a higher TLS version in Java, but ColdFusion 9 still automatically used the lowest compatible protocol.

You may want to use CFExecute and use CURL. It also has newer features than CFMX6's CFHTTP and is available for every OS/platform.

https://curl.haxx.se/

Report · Apr 28, 2017

I noted that you stated you were using Linix, not Windows... but for anyone that visits this post using Windows and ColdFusion 3.1, 4.5, 5, 6, 7, 8, 9, 10, 11 or 2016, I recommending using Abiadata's CFX_HTTP.

Adiabata, Inc. - CFX_HTTP5

FYI: Authorize.Net plans to disable TLS 1.0 and TLS 1.1 by September 18, 2017. This will cause problems for anyone running ColdFusion 3-9 (and potentially CF10.) CFX_HTTP5 has a feature that enables you specify which protocols to use. (We use SSL="5" to force all HTTP Posts to to use TLS1.2.)

Report · Apr 29, 2017

Movak wrote
Is it possible to use TLSv 1.1 on Coldfusion MX 6.1?

You can answer the question yourself. The earliest version of Java to support TLS 1.1 is 1.6.0_111. So, can you get your Coldfusion MX 6.1 installation to run on Java 1.6.0_111?

Report · May 03, 2017

I worked it out. I had to do the following;

Upgrade the curl on the server to 7.24 (had to build it)
Write a temp script file with the Curl command (to get around CFHTTP issue with multiple parameters)
Execute the script using CFEXECUTE

The only problem now is that the script file hangs around. I have tried to use CFFILE action="delete" but I get no errors but the file stays. The file name is the same as when I write the script.

Report · May 15, 2017

ColdFusion likes to maintain locks on files for some weird reason. I used to encounter the same problem when manipulating image files.

Make sure you add a UUID to the filname creating the temporary BAT file. Execute it from a non-publicly accessible temp directory and then schedule another script to delete old files.