TheNephalim
Explorer
TheNephalim
Explorer
Activity
‎Feb 13, 2025
03:50 PM
Thanks for the response. Creating the files and then updating the pointer gives me a little bit of the ick because you're leaving the old files laying around. One of the reasons is that the STIGs I need to follow specifically mandate that you delete all of the files under the /cfusion/hf-updates folder after the patch is applied. The rationale being that a bad actor could get onto your server and revert the changes made by the patch. Currently, however, there are no updated guidelines to the STIGs for ColdFusion, so I'm following Freitag's Lockdown guides and the ColdFusion 11 STIG.
... View more
‎Feb 10, 2025
02:40 PM
It is germane for me to note that the server does not have internet access for security reasons. So, I'm wondering if I want to potentially do both. Update using the main file, then unzip the package repository to the bundles folder and update those packages we still have installed?
... View more
‎Feb 10, 2025
12:02 PM
I’m relatively new to ColdFusion 2023 as we are in the process of migrating from ColdFusion 2018. Before I continue, I understand that we should have already completed the migration and the reasons why it is necessary. Unfortunately, I didn't have any control over the timeline, but I’m doing the best I can, and we are making progress. That said, I’m a bit confused about how updates are supposed to be applied to the server. From what I’ve gathered, the ColdFusion (2023 release) Update XX file updates the core application server, applying immediate fixes, adding new features, and so on. This update is cumulative. However, it appears that this update does not include any updates for ColdFusion packages. On the other hand, the Hotfix and Packages repository seems to contain fixes for specific issues and updates for packages. My question is: Which is the preferred approach? Should I apply the Update File, the Hotfix/Packages repository, or both? From what I understand, I can execute the main update file, unzip the Hotfix/Packages repository into the default bundles folder, and then run update all at the cfpm prompt. Is that the right approach? I’d appreciate any guidance or clarification from those more familiar with the process.
... View more
‎Jul 10, 2024
10:29 AM
Were you able to discern why this is working? I ran into a similar situation in ColdFusion 2023. I eventually got it to work. The abbreviated version of the connection string worked. I added the HostNameInCertificate and that worked as well. If I changed the hostname to something invalid, I got the error message you indicated. I'm confused as to why this is working, though. How is it validating without knowing which TrustStore is being used and without being provided a password with which to access the TrustStore? I decided to change the password for the cacerts to see if that impacted anything and it did not. If it does use cacerts, does Java have access to the password?
... View more
‎Jul 10, 2024
10:09 AM
After importing the certificates, I did restart the ColdFusion service. I tried the different combinations of the connection strings and they appeared not to work. However, I just went back in and tried the following: AuthenticationMethod=ntlm;EncryptionMethod=SSL;ValidateServerCertificate=true; It worked. When you add the references to the hostname, the truststore path, and the truststore password, it bombs out. Does anyone understand why the abbreviated form works and specifying the aforementioned parameters makes it throw an error? How is it validating the certificate if it doesn't have a TrustStore and no password with which to access it?
... View more
‎Jul 10, 2024
09:55 AM
The following connection string worked in ColdFusion 2018: EncryptionMethod=SSL;ValidateServerCertificate=true;HostNameInCertificate=SQL-SERVER;TrustStore=e:\Java\jdk-11.0.13\lib\security\cacerts;TrustStorePassword=[mypassword] When I attempted the connection, I got the error message: An SSL socket connection could not be established because JRE 1.4 or above required I attempted to connect without requiring SSL, but got a different error which I resolved by adding AuthenticationMethod=NTLM. After resolving that, I added the above to the connection string, but got the same error. I figured the issue was the fact that I have ColdFusion running on jdk-17.0.11. I went ahead and created a new truststore like we did in production and imported all three of the certificates. Same error. I ran across a post with similar problems where the recommendation was to use cacerts instead of a custom truststore. I imported the certificates using the following commands into the cacerts truststore: E:\Java\jdk-17.0.11\bin\keytool -import -v -trustcacerts -cacerts -storepass [mypassword] -noprompt -alias my_root_ca -file C:\Temp\test-server-certificates\my_root_ca.crt E:\Java\jdk-17.0.11\bin\keytool -import -v -trustcacerts -cacerts -storepass [mypassword]-noprompt -alias my_intermediate_ca -file C:\Temp\test-server-certificates\my_intermediate_ca.crt E:\Java\jdk-17.0.11\bin\keytool -import -v -trustcacerts -cacerts -storepass [mypassword] -noprompt -alias sql-server -file C:\Temp\sql_server_certificates\sql-server.dc3n.navy.mil\sql-server.cert.crt The connection string works: AuthenticationMethod=ntlm;EncryptionMethod=SSL;ValidateServerCertificate=false The following connection strings do not work: AuthenticationMethod=ntlm;EncryptionMethod=SSL;ValidateServerCertificate=true;HostNameInCertificate=SQL-SERVER;TrustStore=E:\Java\jdk-17.0.11\lib\security\cacerts;TrustStorePassword=changeit java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]An SSL socket connection could not be established because JRE 1.4 or above is required. AuthenticationMethod=ntlm;EncryptionMethod=SSL;ValidateServerCertificate=false;HostNameInCertificate=SQL-SERVER;TrustStore=E:\Java\jdk-17.0.11\lib\security\cacerts;TrustStorePassword=changeit java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]An SSL socket connection could not be established because JRE 1.4 or above is required. AuthenticationMethod=ntlm;EncryptionMethod=SSL;ValidateServerCertificate=false;HostNameInCertificate=SQL-SERVER;TrustStore=E:\Java\jdk-17.0.11\lib\security\cacerts;TrustStorePassword=changeit java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]An SSL socket connection could not be established because JRE 1.4 or above is required. AuthenticationMethod=ntlm;EncryptionMethod=SSL;ValidateServerCertificate=true java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]SSL handshake failed: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Any assistance you can provide is greatly appreciated because this is driving me bonkers. As you can see, I can get it to work if I don't validate the certificate, but I would prefer to do things the proper and more secure way.
... View more
‎Jul 03, 2024
09:27 AM
Per your recommendation, I filed a bug ticket. The URL for the ticket is: https://tracker.adobe.com/#/view/CF-4222672 I will also follow-up with an email to the licensed reseller from whom we purchased our license to see if they have any additional insight and/or let them know we are not thrilled with this issue. Thanks again for your insights and recommendations.
... View more
‎Jul 03, 2024
08:11 AM
Thanks for your response. Regarding this statement: "However, I would be wary about marking a Security Technical Implementation Guide (STIG) as "Not Applicable". The STIG was put in place for a reason." I'm curious about the course of action you took. If you marked it as a finding, then ostensibly, you need to create a POA&M to document your planned course of action for resolution. Currently, there is no resolution other than removing ColdFusion from the system, which is not an option for us at this juncture. I expressed the comment with reluctance. The STIGs certainly exist for a purpose, and I strive to adhere to them. Regrettably, Adobe has removed the decision-making power from server administrators and developers. Currently, I am considering the following options: Set up the ColdFusion administrator using an IP address that is reachable within an internal network through a port of your choosing. Ensure it is configured to utilize TLS. While the Connector element allows you to specify a particular address to listen on, it does not seem to provide attributes for defining the hostname. However, this should not be an issue provided there is a corresponding DNS entry. Nevertheless, this approach may be irrelevant as it necessitates opening a port on our server, which is unlikely to occur in the near future. Execute the built-in administrator on localhost and determine the steps to configure TLS on Tomcat, which is expected to be a pain. Disable the built-in administrator. Technically, it's possible to circumvent the STIGs issue by disabling the built-in administrator account when it's not in use. We could activate it as needed for managing the application server and then deactivate it upon completion. However, this approach is not ideal as it necessitates restarting the ColdFusion service. Running the built-in ColdFusion administrator continuously results in a violation of the STIG. Should it be marked as a finding since we have it enabled due to Adobe removing our ability to implement the IIS alternative? Or should it be marked as "Not Applicable"? Although it can be disabled, no other viable option exists to administer the application server. The resolution described applies to ColdFusion 11 and ColdFusion 2018, but not to 2021/2023, thus technically rendering it "Not Applicable." Concerning the last issue you mentioned, the root cause was either a user error (PEBKAC) or the necessity to apply patches. Currently, I'm uncertain. However, after applying all the patches and confirming that the "Preserve case for Struct keys for Serialization" option was selected, the issue was resolved.
... View more
‎Jul 03, 2024
07:11 AM
1 Upvote
I really want to thank you for the response. I plan on following the suggestion of a bug report. I really cannot adequately express my frustration that they implemented this without providing the option of opting out. It's even worse that they didn't document they were making this change. I reviewed the documentation again for Update 5 to see if I missed something. I didn't see it and if it's there, it's really buried in there. Sorry about the "Mr. Arehart." My father drilled into us that you didn't call people by their first name unless they gave you permission. I think it was our Pennsylvania German upbringing. I also really wanted to thank you again for your assistance. For a variety of reasons, I'm late to the ColdFusion 2023 party and so probably dredging things up again when people thought it was dead. When I file the ticket, I will definitely post the link here.
... View more
‎Jul 02, 2024
02:45 PM
I need to amend my answer and I cannot edit what I wrote. I looked back over the configuration of my IIS server and found that I did need to set the "/jakarta/isapi_redirect.dll" URL to "Always Allow."
... View more
‎Jul 02, 2024
01:40 PM
This is not true (what Priyank said in 2015). I have IIS set to deny and it works.
[Moderator update: see the author's next comment revising this one.]
There are filtering rules set to deny the download of *.dlls. I have /jarkarta set to deny. If you try to directly access the Jakarta directory and any of the files, you will get a 404 error which is by design. However, IIS seems to work fine.
One item of note, we have the root of our website set to allow anonymous so that we can redirect users to a different area of the website if they do not have an account. If you have the permission set on the Jakarta folder set to "Deny Anonymous," then you may have issues depending on your security requirements as it will only work with authenticated/authorized users.
... View more
‎Jul 02, 2024
11:28 AM
1 Upvote
I am in full concurrence with your assessment about making it the default, but allowing administrators to opt out of it.
We are currently in the process of upgrading from 2018 to 2023. We have our ColdFusion Administrator setup as a separate website with an internal IP address that's not publicly accessible, uses SSL/TLS, and configured to deny anonymous users. It's locked down according the ColdFusion and the IIS STIGs.
As I mentioned to Mr. Arehart on another thread, this really puts us in a difficult position because, from what I recall, we cannot access browsers directly on our server. To access the administrator, we would have to put in HBSS exceptions to administrate ColdFusion which will present some issues I'm sure.
... View more
‎Jul 02, 2024
11:17 AM
I appreciate your reply. Frankly, I feel this change blows. Our environment is such that we cannot access browsers or the internet on our servers. I can't create a proxy to the site because I have IIS STIGs that disallow the creation of a proxy site. So....the only alternative(s) I can see are to keep the internal site active and lock it down per the guide. I could also technically mark the STIG as "Not Applicable" because it's a different server (TomCat versus JRun) and we're going to be on ColdFusion 2023 versus ColdFusion 11. Whenever we need to administrate ColdFusion, we'll have to put in an HBSS exception so we can use the browser. As an aside, I did follow the STIGs for the sandboxing. I haven't put everything in there because it caused some of our site's applications to create for some unknown reason. I guess I'm just going to keep plugging along. The last issue I have to try to figure out is why the upgrade messed up some of the applications receiving JSON strings from CFC components. Yay. I'm guess I'm going to
... View more
‎Jul 02, 2024
09:52 AM
I'm a bit flumoxed as to what the resolution of this is. I have a DoD set of STIG rules that state I'm not supposed to use the internal ColdFusion Administrator. OK. I create an IIS website on a separate internal IP address over SSL and denying anonymous access. Now I have ColdFusion blocking me from using anything with CFIDE in the URL. While I have been upgrading from 2018 to 2023, I have the internal administrator available. I applied the suggestion of adding the IP address I'm using to attempt to access the CF administrator and this does not work at all. So how am I supposed to administer ColdFusion while remaining compliant with DoD rules to maintain our authority to operate?
... View more
‎Feb 01, 2018
12:40 PM
Why don't you install it and try it? Also, as you know, ColdFusion 2016 has the static code analyzer that would tell you what code may break in ColdFusion 2016. Our site has tons of code that is super old and none of it failed to work with ColdFusion 2016. I ran the analyzer against the code and it actually identified bugs from some other developers that I went through and fixed. I downloaded Camden's code to give it a whirl in the near future because our in-house developed forum is not that great and his looks pretty decent.
... View more
‎Apr 27, 2007
04:44 PM
Hello,
I have a developer on my team who has been tasked with
upgrading our ColdFusion Server from 5.0 to 7.0. The problem we are
having is that the client_cert_encoded cgi variable is not showing
up or getting set even though we have a valid client certificate.
The cert_issuer and cert_subject variables are being set and I can
display them fine.
Does anyone have any ideas or solutions to this problem?
Sincerely,
Robert Eberhart
... View more
AdChoices