{"id":2542,"date":"2017-05-08T18:37:54","date_gmt":"2017-05-08T18:37:54","guid":{"rendered":"http:\/\/www.sitekickr.com\/blog\/?p=2542"},"modified":"2017-05-08T18:42:17","modified_gmt":"2017-05-08T18:42:17","slug":"coldfusion-tls-1-2-shortcut","status":"publish","type":"post","link":"https:\/\/www.sitekickr.com\/blog\/coldfusion-tls-1-2-shortcut\/","title":{"rendered":"ColdFusion and the TLS 1.2 shortcut"},"content":{"rendered":"<p>The security community would have my head for even thinking about this concept. But I think it&#8217;s acceptable depending on your situation.<\/p>\n<p>More and more web services (notably, credit card gateways) are disabling TLS versions lower than 1.2 due to security vulnerabilities.<\/p>\n<p>For those of us using PHP or another open-source \/ community supported\u00a0language, this is not a problem. We simply update our helper HTTP libraries \/ executables \u00a0(curl, for example) and call it a day.<\/p>\n<p>It&#8217;s not that easy with ColdFusion. Honestly, I&#8217;m afraid to touch many aspects of my ColdFusion install for fear something will break.<\/p>\n<p>But it&#8217;s more than ColdFusion. It&#8217;s the underlying Java Virtual Machine that determines which version of TLS is supported. If your version is old and your current version of ColdFusion doesn&#8217;t support later JVMs, you&#8217;re out of luck.<\/p>\n<p>So, for those of us in that boat &#8211; it&#8217;s might be easier to seek another method of performing the TLS 1.2 HTTP call.<\/p>\n<p>For me, that method was a PHP &#8220;web service&#8221;. Since my ColdFusion instance runs on a LAMP stack, I had easy access to PHP.<\/p>\n<ul>\n<li>I ran a &#8220;yum update curl&#8221; to get Curl to the latest version, ensuring that TLS 1.2 is supported.<\/li>\n<li>I then created a simple PHP script that simply accepts a post body and makes an HTTP call.\n<p>It then echoes the results in the HTTP response.<\/li>\n<li>We still use ColdFusions&#8217;s CFHTTP function, but in this case, we call our PHP web service first. \u00a0Our PHP web service makes the call to the TLS 1.2 supported web service.<\/li>\n<\/ul>\n<p>Example PHP script:<\/p>\n<pre class=\"prettyprint\"><code>$postBody = file_get_contents('php:\/\/input'); \u00a0\/\/ sent from the ColdFusion &lt;cfhttp&gt; call\r\n\r\n$url = '[my_endpoint_that_only_supports_tls_1.2]';\r\n$ch = curl_init();\r\ncurl_setopt( $ch, CURLOPT_URL, $url );\r\ncurl_setopt( $ch, CURLOPT_POST, true );\r\ncurl_setopt( $ch, CURLOPT_HTTPHEADER, array('Content-Type: text\/xml'));\r\ncurl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );\r\ncurl_setopt( $ch, CURLOPT_POSTFIELDS, $postBody );\r\n$result = curl_exec($ch);\r\ncurl_close($ch);\r\n\r\necho $result;\r\n<\/code><\/pre>\n<p>Then, call your PHP script via &lt;cfhttp&gt;<\/p>\n<pre class=\"prettyprint\"><code>&lt;cfhttp method=\"post\" url=\"https:\/\/www.example.com\/http-script.php\"&gt;\r\n  &lt;cfhttpparam type=\"XML\" value=\"#my_xml_request_or_whatever#\" \/&gt;\r\n&lt;\/cfhttp&gt;<\/code><\/pre>\n<p>&nbsp;<\/p>\n<p>The only caveat here is, since your ColdFusion version doesn&#8217;t support TLS 1.2, you need to make sure that your PHP script accepts versions of TLS less than 1.2 \u00a0(whatever your ColdFusion version supports).<\/p>\n<p>Also, I&#8217;d highly recommend that you put any sensitive data in your PHP script ( usernames, passwords, etc) and not pass it in the &lt;cfhttp&gt; request body.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A workaround for ColdFusion&#8217;s lack of TLS 1.2 support. <\/p>\n","protected":false},"author":1,"featured_media":2544,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"amp_status":""},"categories":[34],"tags":[],"_links":{"self":[{"href":"https:\/\/www.sitekickr.com\/blog\/wp-json\/wp\/v2\/posts\/2542"}],"collection":[{"href":"https:\/\/www.sitekickr.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sitekickr.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sitekickr.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sitekickr.com\/blog\/wp-json\/wp\/v2\/comments?post=2542"}],"version-history":[{"count":5,"href":"https:\/\/www.sitekickr.com\/blog\/wp-json\/wp\/v2\/posts\/2542\/revisions"}],"predecessor-version":[{"id":2548,"href":"https:\/\/www.sitekickr.com\/blog\/wp-json\/wp\/v2\/posts\/2542\/revisions\/2548"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sitekickr.com\/blog\/wp-json\/wp\/v2\/media\/2544"}],"wp:attachment":[{"href":"https:\/\/www.sitekickr.com\/blog\/wp-json\/wp\/v2\/media?parent=2542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sitekickr.com\/blog\/wp-json\/wp\/v2\/categories?post=2542"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sitekickr.com\/blog\/wp-json\/wp\/v2\/tags?post=2542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}