Is it even possible to get CF9.0.2 with JDK 1.7 to support TLS1.2?

Xiaofeng Liu

unread,

Feb 14, 2017, 7:42:59 PM2/14/17

to cfau...@googlegroups.com

Hi folks,

I know this sounds crazy. A web service API we securely connect to is going to disable TLS 1.0 and 1.1 due to the new SSL security standards.

I got a CF9.0.2 box with update level /updates/chf9020001.jar applied. It also got java home switched to JRE under JDK 1.7. So it used to work without any issue until recently some changes made to the API testing environment and I got javax.net.ssl.SSLHandshakeException error during hand-shake.

Tried following this article below to set -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1:

https://www.trunkful.com/index.cfm/2014/12/8/Preventing-SSLv3-Fallback-in-ColdFusion

What I have also done is to import the whole chain of the API certificates into the keystore under the java in use.

However, just like the author of the above article mentioned, it can never go beyond TLSv1 when I make connection to the API.

jrpp-1, WRITE: TLSv1 Handshake, length = 186

........

jrpp-1, received EOFException: error

jrpp-1, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

jrpp-1, SEND TLSv1 ALERT: fatal, description = handshake_failure

jrpp-1, WRITE: TLSv1 Alert, length = 2

........

jrpp-1, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

My understanding is CF9 has reached EOL and it does not officially support JDK 1.8 so that does not seem to be an option either.

So I would like to reach out to see if anybody ever got this working on CF9 or the only option is to upgrade CF to 11?

I appreciate any thoughts on this.

--

Thanks,

Xiaofeng,

charlie arehart

unread,

Feb 14, 2017, 7:50:22 PM2/14/17

to cfau...@googlegroups.com

Just go ahead and run CF9 with Java 8. No, it’s not “supported”, but CF9 hasn’t been “supported” since 2012, so just go for it. Test things, watchin things. It’s worked find for many.

/charlie

--
You received this message because you are subscribed to the Google Groups "cfaussie" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+u...@googlegroups.com.
To post to this group, send email to cfau...@googlegroups.com.
Visit this group at https://groups.google.com/group/cfaussie.
For more options, visit https://groups.google.com/d/optout.

Xiaofeng Liu

unread,

Feb 14, 2017, 8:00:32 PM2/14/17

to cfau...@googlegroups.com

Charlie,

Thanks for the quick response. Ok I'll put that as an option. The only thing is I saw lots of people saying do this at your own risk. But it does make me feel a bit more comfortable when you suggested that.

To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscribe@googlegroups.com.

To post to this group, send email to cfau...@googlegroups.com.
Visit this group at https://groups.google.com/group/cfaussie.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "cfaussie" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscribe@googlegroups.com.

To post to this group, send email to cfau...@googlegroups.com.
Visit this group at https://groups.google.com/group/cfaussie.
For more options, visit https://groups.google.com/d/optout.

--

Best regards,

Xiaofeng,^_^

charlie arehart

unread,

Feb 14, 2017, 8:05:50 PM2/14/17

to cfau...@googlegroups.com

Well, that’s why I said “test things, watch things”. It is indeed “at your own risk”, but yep, you can take some comfort in the fact that others have “been there, done that” and were happy with the result. :-)

/charlie

Peter Pham

unread,

Feb 23, 2017, 3:46:50 PM2/23/17

to cfaussie

We were getting similar error as well and tried to upgrade JRE.

For most parts it was ok. However, I recalled that there was some gotchas during PDF generation (Can't remember the exact problem)

And eventually we had to roll it back.

If you do try, mind checking if any code running <cfdocument> is still smoothly.

P

Xiaofeng Liu

unread,

Feb 24, 2017, 12:13:13 AM2/24/17

to cfau...@googlegroups.com

Hi Peter, thanks for the heads up.

Mostly we r planning to migrate to Lucee.

--

charlie arehart

unread,

Feb 24, 2017, 9:51:10 AM2/24/17

to cfau...@googlegroups.com

Just curious, Xiaofeng, are you making that move because you found that (despite our discussions in this thread) you found you could NOT get CF 9.0.2 to work with TLS 1.2, even upon updating to Java 8 (as was your original question)? I get that you may say that you’re moving to Lucee for other reasons (like to get an updated CFML engine for free vs updating to CF 10/11/2016 that DO support Java 8).

Just want to know for the sake of closing out the discussion here, if others may be in the same boat (on CF9). Thanks. (And Peter’s comment there about CFDocument is interesting. I’d not heard of that being an issue, if one changed CF9 to use Java 8. I’ll be curious to hear if anyone else tries and/or confirms it.)

/charlie

From: cfau...@googlegroups.com [mailto:cfau...@googlegroups.com] On Behalf Of Xiaofeng Liu

Sent: Thursday, February 23, 2017 11:13 PM
To: cfau...@googlegroups.com

Subject: Re: [cfaussie] Re: Is it even possible to get CF9.0.2 with JDK 1.7 to support TLS1.2?

Xiaofeng Liu

unread,

Feb 26, 2017, 11:02:53 PM2/26/17

to cfau...@googlegroups.com

Hi Charlie,

Actually I've tried just switch to use Java 8 with CF9 and it is at least working for me to do with TLS 1.2. I was able to send the request through the secured connection and get response back. And I can verify in JRun logs that it is using TLS1.2 so everything looks great in that area.

The reason we are looking at migrating to Lucee is indeed CF9 is just too old. There is a need to upgrade it anyway. Was thinking about upgrade to CF11 as I've done that a couple of times at my previous job. But Lucee as you said is free and I've heard good things about it so that is probably the main reason for us to consider it - potentially saving cost in the long run.

Cheers,

--

You received this message because you are subscribed to the Google Groups "cfaussie" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscribe@googlegroups.com.
To post to this group, send email to cfau...@googlegroups.com.
Visit this group at https://groups.google.com/group/cfaussie.
For more options, visit https://groups.google.com/d/optout.

--

Best regards,

Xiaofeng,^_^

charlie arehart

unread,

Feb 27, 2017, 10:05:37 AM2/27/17

to cfau...@googlegroups.com

Understood on the move. Thanks most of all for the confirmation on Java 8 indeed working to solve that CF9 problem.

/charlie

From: cfau...@googlegroups.com [mailto:cfau...@googlegroups.com] On Behalf Of Xiaofeng Liu
Sent: Sunday, February 26, 2017 10:03 PM
To: cfau...@googlegroups.com
Subject: Re: [cfaussie] Re: Is it even possible to get CF9.0.2 with JDK 1.7 to support TLS1.2?

Hi Charlie,

Actually I've tried just switch to use Java 8 with CF9 and it is at least working for me to do with TLS 1.2. I was able to send the request through the secured connection and get response back. And I can verify in JRun logs that it is using TLS1.2 so everything looks great in that area.

The reason we are looking at migrating to Lucee is indeed CF9 is just too old. There is a need to upgrade it anyway. Was thinking about upgrade to CF11 as I've done that a couple of times at my previous job. But Lucee as you said is free and I've heard good things about it so that is probably the main reason for us to consider it - potentially saving cost in the long run.

Cheers,

Reply all

Reply to author

Forward