Version of TLS in CF 2018 Enterprise?

Report · Jun 22, 2021

Hi Friendly Folks,

When I check "Enable TLS connection to mail server" in CF Admin under "Mail", what version of TLS is activated? I have searched around and been unable to find an answer.

Thanks!

- Shawn

Report · Jun 22, 2021

Shawn, there's no concept really of "what version of TLS is activated". Instead, it helps to consider first that TLS (and SSL) is a two-way handshake between the origin and the destination, where each reports what versions it supports and they negotiate to pick one that works for both ends of the conversation.

Then, as for what version of TLS "CF supports" (which is what I sense you were getting it), note that it's not really CF that makes that call. It's the underlying Java version that you have CF configured to use which makes that call. Different Java versions (and even different update levels within a given Java version) change what versions of TLS (or SSL) are supported. So whether "CF" can support a given TLS version is not about CF but about the JVM. FWIW, I have a table discussing what versions of Java are supported by what versions of CF.

Finally, I will point out that it's not as simple as "newer versions of Java will support newer versons of TLS". Sometimes newer Java versions will REMOVE support for older TLS/SSL versions. In fact, the Java update that came out in April 2021 (for Java 8 and 11, the current long-term support releases) did itself remove support for calling out to servers that might only support TLS 1.1 or earlier. If you may need to talk to such a server (with such old TLS support), which may well be the issue you are facing in talking to your mail server, then you would need to tweak the Java configuration to allow for that. I cover that some in a post I did on that recent Java update.

Does all that help? If you still have questions, let us know.

/Charlie (troubleshooter, carehart.org)

Report · Jun 22, 2021

Like @Charlie Arehart says, it's kind of complicated. In addition to what he said, most mail servers support TLS 1.2 and 1.3, and you can find out what a given mail server supports from the command line using OpenSSL.

https://halon.io/blog/how-to-test-smtp-servers-using-the-command-line/

Dave Watts, Eidolon LLC

Report · Jun 27, 2021

@Shawn Coughlin , Just to add to the contributions you've received from Charlie and Dave:

When I check "Enable TLS connection to mail server" in CF Admin under "Mail", what version of TLS is activated?

By @Shawn Coughlin

A legitimate question. When you check "Enable TLS connection to mail server", the TLS version that is activated/enabled on the server side = the default TLS version of the Java installation on which ColdFusion is running.

It is TLS 1.2 for Java 8. I suspect it is TLS 1.2 for Java 11 too. This suspicion is strong because the TLS 1.3 in Java 11 originally had an error which was only fixed in a later Java update.

Report · Jun 29, 2021

Just to add to the previous answer, this is kind of complicated because it's actually the mail server which will largely determine what version of TLS you use. It'll basically say "I support these versions", then CF will be able to respond with "This is the latest version I support" and that's what you'll use. You can use openssl with the s_client switch to learn more about what your mail server supports.

Also, just to make this even more complicated, TLS requires the use of various hashes and ciphers, and both ends will need to support a common set of those. Honestly, this hasn't really been a problem for me with mail servers, but it's a thing that happens with web servers all the time - if you try to use CFHTTP with a TLS-enabled web server and they don't support a common set of hashes and ciphers, that connection simply isn't going to happen (and it won't be logged by the client because the connection literally didn't happen).

Dave Watts, Eidolon LLC

Adobe Community

Version of TLS in CF 2018 Enterprise?