ColdFusion and the TLS 1.2 shortcut

The security community would have my head for even thinking about this concept. But I think it’s acceptable depending on your situation.

More and more web services (notably, credit card gateways) are disabling TLS versions lower than 1.2 due to security vulnerabilities.

For those of us using PHP or another open-source / community supported language, this is not a problem. We simply update our helper HTTP libraries / executables  (curl, for example) and call it a day.

It’s not that easy with ColdFusion. Honestly, I’m afraid to touch many aspects of my ColdFusion install for fear something will break.

But it’s more than ColdFusion. It’s the underlying Java Virtual Machine that determines which version of TLS is supported. If your version is old and your current version of ColdFusion doesn’t support later JVMs, you’re out of luck.

So, for those of us in that boat – it’s might be easier to seek another method of performing the TLS 1.2 HTTP call.

For me, that method was a PHP “web service”. Since my ColdFusion instance runs on a LAMP stack, I had easy access to PHP.

  • I ran a “yum update curl” to get Curl to the latest version, ensuring that TLS 1.2 is supported.
  • I then created a simple PHP script that simply accepts a post body and makes an HTTP call.

    It then echoes the results in the HTTP response.

  • We still use ColdFusions’s CFHTTP function, but in this case, we call our PHP web service first.  Our PHP web service makes the call to the TLS 1.2 supported web service.

Example PHP script:

$postBody = file_get_contents('php://input');  // sent from the ColdFusion <cfhttp> call

$url = '[my_endpoint_that_only_supports_tls_1.2]';
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $url );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_HTTPHEADER, array('Content-Type: text/xml'));
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, $postBody );
$result = curl_exec($ch);
curl_close($ch);

echo $result;

Then, call your PHP script via <cfhttp>

<cfhttp method="post" url="https://www.example.com/http-script.php">
  <cfhttpparam type="XML" value="#my_xml_request_or_whatever#" />
</cfhttp>

 

The only caveat here is, since your ColdFusion version doesn’t support TLS 1.2, you need to make sure that your PHP script accepts versions of TLS less than 1.2  (whatever your ColdFusion version supports).

Also, I’d highly recommend that you put any sensitive data in your PHP script ( usernames, passwords, etc) and not pass it in the <cfhttp> request body.

Why follow me on Twitter?

  • I tweet about new technologies, services or libraries I find interesting
  • Yeah, sometimes I'll post a pet-peeve or rant about something trivial
  • If I discover something that made my web development life easier, I share it
  • I'll shout out any handy tip that I think might be useful to other devs


This entry was posted in ColdFusion. Bookmark the permalink.

Updated: 2017-05-08

Phil LaNasa follow us in feedly
  • Wil Genovese

    First of all, ColdFusion 9.0.2 and older will have issues with TLS 1.2. ColdFusion 9.0.n end of life was 12/31/2014. There have been three major new versions of ColdFusion since than and all support TLS 1.2. Additionally ColdFusion 9.0.n runs on Java 1.7 and that is also long past end of life. If anyone is still using those old versions, UPGRADE! If you really want to know more: https://www.trunkful.com/index.cfm/2014/12/8/Preventing-SSLv3-Fallback-in-ColdFusion

    • sitekickr

      Wil, yes, of course, upgrading is the safest option. But there are hundreds of posts out there that all recommend that same course of action.

      My post was geared towards those who are running an older version of CF and can’t justify upgrading (only need it for a couple more months, too costly, etc).

      • Wil Genovese

        Sadly, I’m most likely the one that started people looking at running CF9 on Java 1.8. No one was doing it until I figure out it “ran” during my testing for that article I wrote. No one can safely recommend that as a viable option. It’s not tested, no one knows for certain if everything will work.