SiteKickr Web Development

ColdFusion and the TLS 1.2 shortcut

The security community would have my head for even thinking about this concept. But I think it’s acceptable depending on your situation.

More and more web services (notably, credit card gateways) are disabling TLS versions lower than 1.2 due to security vulnerabilities.

For those of us using PHP or another open-source / community supported language, this is not a problem. We simply update our helper HTTP libraries / executables  (curl, for example) and call it a day.

It’s not that easy with ColdFusion. Honestly, I’m afraid to touch many aspects of my ColdFusion install for fear something will break.

But it’s more than ColdFusion. It’s the underlying Java Virtual Machine that determines which version of TLS is supported. If your version is old and your current version of ColdFusion doesn’t support later JVMs, you’re out of luck.

So, for those of us in that boat – it’s might be easier to seek another method of performing the TLS 1.2 HTTP call.

For me, that method was a PHP “web service”. Since my ColdFusion instance runs on a LAMP stack, I had easy access to PHP.

Example PHP script:

$postBody = file_get_contents('php://input');  // sent from the ColdFusion <cfhttp> call

$url = '[my_endpoint_that_only_supports_tls_1.2]';
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $url );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_HTTPHEADER, array('Content-Type: text/xml'));
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, $postBody );
$result = curl_exec($ch);
curl_close($ch);

echo $result;

Then, call your PHP script via <cfhttp>

<cfhttp method="post" url="https://www.example.com/http-script.php">
  <cfhttpparam type="XML" value="#my_xml_request_or_whatever#" />
</cfhttp>

 

The only caveat here is, since your ColdFusion version doesn’t support TLS 1.2, you need to make sure that your PHP script accepts versions of TLS less than 1.2  (whatever your ColdFusion version supports).

Also, I’d highly recommend that you put any sensitive data in your PHP script ( usernames, passwords, etc) and not pass it in the <cfhttp> request body.