What versions of TLS does Railo CFHTTP support?

637 views
Skip to first unread message

Ayudh Nagara

unread,
Feb 11, 2016, 4:51:40 AM2/11/16
to Railo
I have a simple question: We are currently on Railo 4.2.1 and need to know what version of TLS is supported when applications make a CFHTTP call to a SSL site. Reason: our payment gateway provider is going to disable TLS 1.0 soon and will only support TLS 1.1 and up, so I need to know whether our transactions will still work when that happens. If not, what version of Railo/Lucee we need to move to.
There are a number of posts around the subject but I couldn't find a definitive answer to this question.

Peter Boughton

unread,
Feb 11, 2016, 4:37:43 PM2/11/16
to ra...@googlegroups.com
Find a public server that already only supports TLS 1.1 and up, make a cfhttp call to it and see what happens.

You should be looking to move to the latest stable Lucee 4.5.x regardless.

Andrew Dixon

unread,
Feb 11, 2016, 6:10:12 PM2/11/16
to ra...@googlegroups.com
There were several updates in the Lucee 4.5.018 stable release to bring support for newer SSL certificates, cipher suites and encryption method so to be sure I would highly recommend you move to Lucee 4.5.018 as soon as possible. Details on how to migrate can be found here:


Kind regards,

Andrew

On 11 February 2016 at 21:37, Peter Boughton <pe...@getrailo.org> wrote:
Find a public server that already only supports TLS 1.1 and up, make a cfhttp call to it and see what happens.

You should be looking to move to the latest stable Lucee 4.5.x regardless.

--
Did you find this reply useful? Help the Railo community and add it to the Railo Server wiki at https://github.com/getrailo/railo/wiki
---
You received this message because you are subscribed to the Google Groups "Railo" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CAK%3DoSggTK4OfJoMGvqAi8PA%3Du0AUu%3DCTnu%3Djb4XmPmjGE5W6AQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

Ayudh Nagara

unread,
Feb 13, 2016, 11:50:09 AM2/13/16
to Railo
OK, I migrated to Lucee 4.5.3.004 final and found that CFHTTP is still using a very old TLS 1.0 which is being phased out.
To test, I wrote a little script that issues a CFHTTP GET request to https://www.howsmyssl.com/ and displays the response.
This site detects and returns the requester's TLS version among other things.
Definitely still at TLS 1.0.

We urgently need to get more secure TLS versions (1.1 or 1.2) in a few days time or we'll be locked out of our payment gateway.

You mentioned Lucee 4.5.018 ( I presume you meant 4.5.2.018) - are you saying this version supported the newer TLS versions 1.1, 1.2 but not the later Lucee version 4.5.3.004?

Peter Boughton

unread,
Feb 13, 2016, 2:05:35 PM2/13/16
to ra...@googlegroups.com
You're probably running it against Java 7 then.


I ran this code:

    <cfhttp url="https://www.howsmyssl.com/" />

    <cfdump var=#rematch('Your client is using[^<]+',cfhttp.FileContent)# />
    <cfdump var=#Server.Lucee.Version# />
    <cfdump var=#Server.Java.Version# />

Against an old Lucee setup and get:

    Your client is using TLS 1.2, the most modern version of the encryption protocol. It gives you access to the fastest, most secure encryption possible on the web.
    4.5.1.008
    1.8.0_31


Also ran it against Railo 4.0.2 on same Java version and got TLS 1.2 returned.

So upgrade to latest stable Java 8.

Andrew Dixon

unread,
Feb 13, 2016, 6:39:30 PM2/13/16
to ra...@googlegroups.com
Hi,

Also, on top of what Peter said about Java 7, 4.5.3.004 is bleeding edge and not recommended for production, the latest stable release is 4.5.2.018, so I would suggest to go to that. Also, if you upgraded your Railo instance you probably need to update some JARs related to http, see the "optional step" on this blog post:


Kind regards,

Andrew

--
Did you find this reply useful? Help the Railo community and add it to the Railo Server wiki at https://github.com/getrailo/railo/wiki
---
You received this message because you are subscribed to the Google Groups "Railo" group.

Ayudh Nagara

unread,
Feb 13, 2016, 8:32:14 PM2/13/16
to Railo
Thanks. The 3 optional jar files seem to be exactly the same as the ones already included in the 4.5.2.018 download. 
I did a file compare on:
apache-commons-httpclient.jar
apache-commons-httpcore.jar
apache-commons-httpmime.jar
and there's zero difference.
So I presume they have now been merged into the main download.

Andrew Dixon

unread,
Feb 13, 2016, 9:40:00 PM2/13/16
to ra...@googlegroups.com
Yes they are included in the download, but I thought you had upgraded from Railo using the "replace railo.jar" method in the link I sent.

Kind regards,

Andrew

Ayudh Nagara

unread,
Feb 13, 2016, 10:47:41 PM2/13/16
to Railo
Hi Peter, upgrading to Java 8 did the trick :-)  
Now CFHTTP is making requests using TLS 1.2. 
Many thanks!
Reply all
Reply to author
Forward
0 new messages