We ran into this when a company contacted us at CF Webtools with the problem of ColdFusion was suddenly no longer able to connect to their email providers mail servers. The complaint was that ColdFusion was sending emails to their clients just fine the day before but today it can't. These issues are usually best resolved by asking "What changed?". As far as the client knew, nothing had changed.

After doing some investigations on the server we deeded to do some very simple testing. Does it connect to any mail server? Yes, it connected to our mail server without TLS just fine. But it would not with TLS. That's the big clue! I also noted they were on JVM 1.7.0_15 which I know is about two years old. During this time there have been mandated changes to SSL encryption levels to stronger encryption. If the CA Root Certificates on your system are old they may/will not work with new SSL Certs that use the stronger encryption. We upgraded the JVM version 1.7.0_67 and the problems were resolved. ColdFusion was once again send email through their email providers mail server over a secure connection.

So what happened?

This applies to anyone running anything on Java that needs to access SSL connections including ColdFusion servers. This includes using things like CFHTTP, CFFTP, CFMAIL, CFPOP etc. Each of these can be used to make a secure connection over SSL. Recently SSL has been undergone some changes and improvements. One of these changes is the increased bit length to 2048 bit that went into effect this year.

New Standard for SSL Certificates Industry standards set by the Certification Authority/Browser (CA/B) PDF Forum require that certificates issued after January 1, 2014 MUST be at least 2048-bit key length.

As such all Certificate Authorities have been issuing new Root CA Certificates along with your newly purchased SSL. If you have ever installed an SSL certificate recently you have had to install the Root CA as well as the SSL Cert.

For Java, the CA Roots that are stored in the Java keystore also need to be updated. You have a couple options depending on the version of ColdFusion you are running and any Java dependencies you may have (if any at all). If you are running on a fully patched ColdFusion 9, 9.0.1 or 9.0.2 you can run the latest and greatest Java 1.7.0_nn release. (See this blog post of mine about the upgrade.) This will provide you with the lasted CA Root Certificates. The same is true if you are running ColdFusion 10 and 11.

If you are still running on ColdFusion 8 your options are fewer. Let's first say that it's time to upgrade. ColdFusion 8 is no longer supported and it can only run on Java versions that are no longer supported. However, IF YOU MUST, the new CA Root certificates can be installed in your existing Java keystore. Mark Kruger, aka. ColdFusion Muse has a blog post on how to do this. The post is old, but so is your JVM.

Please consider upgrading to a newer version of ColdFusion!

Here is another case for upgrading to Java 1.7 and a newer version of ColdFusion. Several days ago this came in on CF-Talk

Michael Grant wrote: Fast forward to a few days ago and my host disabled SSLv3, as the world has been instructed to do to thwart the POODLE vulnerability. The moment they did that my app no longer can process transactions. I get the classic "COM.Allaire.ColdFusion.HTTPFailure" type error with the message "Connection Failure: Status code unavailable". This isn't the typical message of when you don't have the cert installed where it says peer could not be authenticated.

According to tech support it's only with CF that disabling SSLv3 stops communication. Apparently others don't have this issue.

Does anyone know of a work around? I'm not sure if CF9 is the problem or CF as a whole. Would upgrading to CF10 help? I'm in a real bind here as the client hasn't been able to process e-commerce transactions for a few days now.

After lots of emails and discussion the solution was to upgrade from Java 1.6 to 1.7.

I finally have an update here. After much back and forth and having to REALLY make a case for why I was able to convince my hosting provider to update their CF servers to run Java 1.7 instead of 1.6. This had an immediate positive result and the SSL handshake was able to proceed properly with TLS.

The situation in this case is that the newer Java versions are updated to work with newer SSL standards and have dropped support for the older standards that are now vulnerable to be exploited.

So this is yet another case for upgrading.

Please consider upgrading to a newer version of ColdFusion!