ColdFusion Debugging on Production, That wasn't a Good Idea

Today's short note is brought to you by "Don't Do That On Production!" At CF Webtools often times we get called in to help troubleshoot servers that are failing to perform well. We often hear the same sort of symptoms that goes like this. The server has been running fine for months then suddenly for no reason it's slow, CPU usage is high, and it hangs or crashes multiple times per day. This always prompts us to ask the same question. "What was changed just before these symptoms started?" And the answer is usually "Nothing was changed (as far as they knew)". In all reality the person we're talking to may not the be only person with access to make changes to the server. Or they may not in fact have access at all and they are relying on information provided to them by an IT team member. We take notes, assume nothing, and question everything (on the server).

We had this scenario play out a few times in the past few weeks with three servers from three different companies. The reason I'm writing this note is the same problem occurred on each server. The short answer is someone enabled ColdFusion Debugging on the production server. ColdFusion is a very powerful rapid development platform, but it has a few gotchas if you are not careful. Such as enabling debugging on a production server. Debugging output provides a massive amount of information and for obvious security reasons we never want this enabled on a production server. Yes, I know you can restrict debugging output to a certain IP address, but that does not prevent the debugging output from being generated. It's just not displayed. The generation of debugging output takes more CPU power and at times more JVM memory. On a low load web application you may not notice a difference. However, on a high load, high traffic production web application the extra resources needed to generate the debugging output may in fact cause all those symptoms described above.

In each of the cases Iwe saw these past few weeks, we were reviewing the servers settings, looking at the results of Fusion Reactor, and reviewing ColdFusion settings. On the first server we almost missed the fact that debugging was enabled. By the time we were troubleshooting the third server with similar symptoms we were checking to see if debugging was enabled before we did anything else. Disabling debugging resolved the bulk of the performance issues. We then used this time to review each server and offered additional performance tuning recommendations based on each servers resources and application needs.

This falls into the category of "Don't Do That On Production!" Please leave debugging to your development and staging servers.

CF Webtools is here to fill your needs and solve your problems. If you have a perplexing issue with ColdFusion servers, code, connections, or if you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations @ cfwebtools.com.

ColdFusion Bloggers Tweets

When I brought ColdFusionBloggers.og back to life, several of us were discussing the service on the CFML Slack channel. One of the many things that was mentioned was that some blogs these days are static and don't have a 'ping' service to ping an aggregator. That led to the venerable Sean Corfield mentioning that he does not read a blog post if he does not see it on his Twitter feed. I suspect others get their updates this was as well. I'm still 'old school' I guess because I still use and online news reader. I don't have a solution yet for those static blogs, but I'm percolating thoughts on that. However, during the process of resurrecting ColdFusionBloggers.og I noticed that at one time there was a Twitter account for @CFBloggers. I checked with Ray Camden and luckily he was able to remember the credentials for this account and passed those on to me.

The current iteration of ColdFusionBloggers.og is coded in Node.js. I've been learning what I can about Node as fast as I can. This past weekend started the process with Twitter to get my API tokens. While waiting on those I learned what I needed to get Node to send a Tweet. Today I received the Twitter API access tokens and this evening I was able to debug my hacked up Node code. The first tweet was sent! WooHoo! I think this is all working.

The short story is all new blog posts aggregated by ColdFusionBloggers.og will now be tweeted in real time. This being the first blog post to tweet. Cheers!

I hope this is the first of many changes for ColdFusionBloggers.og. Contact me to have your ColdFusion related blog added to the feed.

ColdFusion Bloggers is Alive

A short note to alert everyone that ColdFusionBloggers.org is back online and back to aggregating your blog posts.

The great Raymond Camden created this awesome resource and technically it will always be his. I happen to be the current caretaker if you will of this valuable service. If anyone was wondering why Ray decided to step away from ColdFusion Bloggers, see his blog post here. I reached out to Ray and he granted me the 'keys' so to speak. Thank you Ray! I've moved hosting to my AWS account for hosting and tonight I was able to work through the hiccups of migrating older code to a newer environment on newer versions of the backend software. I just completed adding SSL via Lets Encrypt and verified the ping service works. ColdFusion Bloggers is back in action!

Spread the word! Add your blog!

USPS Shipping API Ending TLS 1.1 and TLS 1.0 Support, is your ColdFusion Server Ready?

At CF Webtools we recently went through a round of server upgrades to handle the Authorize.net ending support for older TLS versions. Now USPS, United State Postal Service, is doing the same thing with their Shipping APIs. This is going to be happening for all API's and most likely all this year as PCI requirements for ending support for TLS 1.1 and older at the end of June 2018. This is according to the PCI Security Standards Council.

USPS will be turning off support for TLS 1.1 and older for testing. In advance of the changes to production, TLS version 1.0 and 1.1 support will be discontinued in the lower Web Tools environments and available for testing on 5/22/18: https://stg-secure.shippingapis.com/shippingapi.dll): 06/11/18.

This message explains some security improvements planned for our services. Effective 06/22/18, Web Tools will discontinue support of Transport Layer Security (TLS) version 1.0 and 1.1 for securing connections to our HTTPS APIs through the following URL: https://stg-secure.shippingapis.com/shippingapi.dll. This includes, but is not limited to, all shipping label and package pickup APIs. After this change, integrations leveraging TLS version 1.0 and 1.1 will fail when attempting to access the APIs.

You are receiving this message because the Web Tools UserID associated with your email address has made HTTPS requests over the past year. It is possible that no changes are necessary to retain Web Tools services and benefit from the improvements. Please review the entire message carefully and share with your web developer, software vendor, or IT service provider to determine if your use of the Web Tools APIs will be affected. If you have already updated your security certificates please disregard this message. If you are not sure if any changes are necessary, please ask your IT service provider.

In advance of the changes to production, TLS version 1.0 and 1.1 support will be discontinued in the lower Web Tools environments and available for testing on 5/22/18: https://stg-secure.shippingapis.com/shippingapi.dll): 06/11/18.

Further background: Security research published in recent years demonstrated that TLS version 1.0 and 1.1 contained weaknesses that limited its ability to protect and secure communications. These weaknesses have been addressed in the TLS 1.2 version. Major browser software vendors have been supporting TLS 1.2 for some time. Consistent with our priority to protect USPS Web Tools customers, Web Tools will only support versions of the more modern TLS 1.2 as of the effective date noted above.

Contact us at WebTools@usps.gov with any questions or concerns.

This means that if you are using older methods to make calls to USPS that are not capable of making TLS 1.2 connections then you will NOT be able to process Shipping API transactions.

This affects ALL ColdFusion versions 9.0.2 and older! This also affects ColdFusion 10 Update 17 and older. If your server is running any of these older versions of ColdFusion and your server is processing Shipping API transactions with USPS then this advisory applies to your server.

Mitigation

Getting compliant depends on age of your server operating system. There are three main ways to get your server to handle TLS 1.2.

  1. If you're running on Windows Server 2008 Standard (not R2) or older then the only solution is to migrate to a newer server. This can be challenging and time consuming. It's best to start planning now if a plan isn't already in place and being acted upon.
  2. If your server is running ColdFusion 10 and newer on Windows Server 2008 R2 or newer then the solution is most likely very simple. In most cases you'll need to install the ColdFusion patches and upgrade to Java 1.8.0_nn.
  3. There is a solution for the in between systems running ColdFusion 9 and older on Windows 2008 R2. This does require using a third party extension to ColdFusion and some refactoring of your code to call the API.
  4. There are sure to be outlier cases that will require either migration or patching depending on the exact combination of operating system, ColdFusion version and Java version.

CF Webtools has been successfully mitigating this issue for clients servers for the past couple years and we are very experienced in resolving these security related issues. In a previous blog post I tested which TLS levels were supported by various ColdFusion versions on various Java versions and produced an easy to read chart.

If your ColdFusion server is affected by this or if you do not know if your ColdFusion server is affected by this then please contact us (much) sooner than later. Our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

Get Your Beta Here! ColdFusion 2018 Beta!

Adobe has announced the Public Beta of Adobe ColdFusion 2018 is now available. This release brings an all new Performance Monitoring Toolset that is available with both the Standard and Enterprise versions (So I've been told). There's plenty of language improvements and updates and a new Public Beta of ColdFusion Builder 2018. Hurry up while supplies last!

There a large number of changes including an all new ColdFusion Administrator. Here's a partial list of new things according to Adobe:

  1. ColdFusion (2018 release) has a new User Interface. The new interface is based on a tiled interface. We have also enriched the search experience on the Administrator portal.
  2. We have removed Server Monitor. We have introduced a tool called Performance Monitoring Toolset, which is more intuitive, includes more features, and provides better visibility of your application's performance.
  3. We have made significant improvements to the core language features. Here is a brief list of the changes:
    1. Introduced NULL support
    2. Introduced closures in tags
    3. Introduced Asynchronous programming using Future
    4. Enhanced Object-Oriented Programming with the following:
      1. Abstract components and methods
      2. Final component, method, and variable
      3. Default functions in interfaces
      4. Covariance
    5. Semi-colons are now optional in a cfscript code
    6. Introduced named parameters in functions
    7. Introduced slicing in arrays
    8. New operator support using name-spaces for java, webservices, dotnet com, corba, and cfc
    9. Introduced support for typed arrays
    10. Introduced string literals and support for numeric member functions
    11. Introduced negative indices support for arrays
    12. New functions- ArrayFirst, Arraylast, QueryDeleteColumn, and QueryDeleteRow
  4. Enhanced CLI and introduced REPL.
  5. Introduced REST Playground application for testing your REST APIs.
  6. Added support for REST PATCH verb.
  7. Filter fields from JSON request.
  8. Enhance performance through Caching with the newly added engines:
    1. Memcached
    2. JCS
    3. Redis
    4. Using a custom cache plugin
  9. New Admin APIs to support the caching engines
  10. Hibernate upgraded to ver 5.2
  11. New configuration settings in wsconfig tool
  12. Updates to ColdFusion Builder.

This is a huge update! Get it while it's hot!

ColdFusion Security updates for ColdFusion 2016 and ColdFusion 11

Adobe released important security updates and big fixes today, update 6 and update 14 for ColdFusion 2016 and ColdFusion 11 respectively.

These updates resolve an important insecure library loading vulnerability (CVE-2018-4938), an important cross-site scripting vulnerability that could lead to code injection (CVE-2018-4940) and an important cross-site scripting vulnerability that could lead to information disclosure (CVE-2018-4941). These updates also include a mitigation for a critical unsafe Java deserialization vulnerability (CVE-2018-4939) and a mitigation for a critical unsafe XML parsing vulnerability (CVE-2018-4942).

There is a bug of great importance to many that has finally been fixed. I've blogged about this before and I was able to create a work around to resolve this issue until it was fixed by Adobe. The SFTP/FTPS bug would not allow connections to secure FTP servers that utilized newer SSL protocols. When using CFFTP to connect to some S-FTP server, during connection, you can see an error message. This has been a growing issue as more and more companies replace plain text FTP servers with SFTP or FTPS servers that utilize stronger protocols.

For ColdFusion 2016 this update upgrades Tomcat to version 8.5.28 and OpenSSL to version 1.0.2n.

For ColdFusion 11 this update upgrades Tomcat to version 7.0.85 and OpenSSL to version 1.0.2n.

The security updates referenced in the above Tech Notes require JDK 8u121 or higher (for ColdFusion 2016) and JDK 7u131 or JDK 8u121 (for ColdFusion 11).

This is one more friendly reminder to make sure your ColdFusion servers are patched! Either patch them yourself, have your hosting provider patch them or if they are not familiar or knowledgeable with ColdFusion contact us at CF Webtools to patch your servers. Our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

*Note: ColdFusion 11 when it was first released came with a version of Java 1.7.0_nn. Adobe later re-released ColdFusion 11 with Java 1.8.0_25. If you have ColdFusion 11 still running on Java 1.7 I highly recommend that Java be upgraded to Java 1.8. Oracle is no longer supporting Java 1.7 and 1.7 is long past it's end of life. Even though the Adobe instructions for this current security update states that you can run Java 1.7.0_131, I highly recommend upgrading to Java 1.8. Personally I will not install Java 1.7 on a clients servers and sign off on it being 'secure'.

ColdFusion SFTP and FTPS Secure Connection Failure

I have seen a lot more people asking questions about making SFTP or FTPS secure connections from ColdFusion using the <CFFTP> tag. They are trying to figure out why they cannot make a connection. Often the error is "Algorithm negotiation fail" or "Connection Error". People are posting their questions on many support forums including Adobes forums and their new ColdFusion Community Portal. This is a problem people are experiencing in ColdFusion 10 and ColdFusion 11.

In the last few years we've seen a huge shift in SSL/TLS security including the removal of older less secure protocols and forcing secure connections to use the newer stronger protocols with stronger TLS certificates and stronger encryption cyphers. As such older systems need to be upgraded to handle the newer security protocols. More recently plain old unsecure FTP portals have been the focus of change to SFTP or FTPS.

At CF Webtools we've run into this same problem several times with multiple clients. It was so much of a problem that I needed to spend some dedicated time to see how we could resolve this issue.

The first thing I discovered is that this issue is a known "bug" that has been reported to Adobe. It's been a long known issue and somehow the fix which is in ColdFusion 2016 has not been included in an update for earlier ColdFusion versions. However, Adobe has affirmed to me that this fix is scheduled for an upcoming update.

Because it was fixed in ColdFusion 2016 I was able to inspect the included jar files to see if the one that handles CFFTP or secure communications was newer than the one(s) in ColdFusion 11. What I found is that jsch-0.1.44m.jar had been replaced by jsch-0.1.52m.jar. The JSCH jar library is the library that handles Java Secure Channel communications. "JSch allows you to connect to an sshd server and use port forwarding, X11 forwarding, file transfer, etc., and you can integrate its functionality into your own Java programs."

After seeing this was upgraded I had an ah-ha moment and figured it was worth a try to copy this newer version into my ColdFusion 11 test server and see what happened. The new version is in ./ColdFusion2016/cfusion/lib folder. You can download the free ColdFusion 2016 Developer Edition and install it anywhere so you can get access to the updated jar file. Once you have the new jar file copy it into ColdFusion 11. The proper way to do this is to remove or rename the old jar file version in your ColdFusion11/cfusion (or instance name)/lib folder then copy the new jar file version into the same folder. Then start or restart ColdFusion 11. That's it. You're done. The bug is fixed and you're good to go with SFTP or FTPS using <CFFTP> in ColdFusion 11.

This is not an approved fix from Adobe. I do not know if there is some unknown issue that could be created by doing this. However, I do know that everyone I've talked to that has tried this has had their secure FTP issues resolved. Additionally I have not tried this 'fix' in ColdFusion 10. However, if you are running into this issue with ColdFusion 10 it's worth the minimal effort to give it a try.

If you need someone to make this change on your ColdFusion server then contact us, we can help. CF Webtools is here to fill your needs and solve your problems. If you have a perplexing issue with ColdFusion servers, code, connections, or if you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations @ cfwebtools.com.

Connect ColdFusion JDBC to Sybase SQL Anywhere

This is something that might not come up often, but every once in a while we have to connect to a Sybase database. This is a built in feature in the Enterprise version of ColdFusion. However, if you have the Standard version of ColdFusion you have to manually add the JDBC jar file and build the connection string by hand. This is easy to do once you have the correct information and correct format of the connection string. Finding that correct information was nearly impossible and required a lot of trial and error.

Here's the case we had to resolve at CF Webtools. One of our clients has been using ColdFusion and Sybase for ages. For the record this is Sybase SQL Anywhere 16. For those that are not aware SAP owns Sybase thus the official name is SAP SQL Anywhere 16. For the longest time they were using ODBC connectors and older versions of ColdFusion on older Windows servers. More recently they have upgraded to ColdFusion 11 on newer Windows servers and were still trying to make the connections to Sybase via ODBC. This is a large multi-tenant operation in which there are hundreds of databases on the Sybase servers. Yes, plural servers. There are two servers that are replicated and handle failover. This means the ColdFusion Datasource connection also needs to handle failover. With ODBC failover is handled by Microsoft ODBC settings. With JDBC we had to setup failover in the JDBC connection string.

[More]

TLS1.2 for ColdFusion 9 and Older

The upcoming Authorize.NET switch to using TLS 1.2 only has a lot of people scrambling to get their servers updated. This has been a long planned transition at Authorize.NET and at many/most/all other payment processing companies. The inevitable facts are that TLS 1.0 and TLS 1.1 are outdated and they are going away. At CF Webtools we have been preparing for this inevitable day for the past few years.

ColdFusion 9.0.n is not tested to work on Java 1.8 and I have had cases were certain features of ColdFusion 9 did not work with Java 1.8. I have not tried any older versions of ColdFusion on Java 1.8 and I'm not going to. Adobe has not certified any versions of ColdFusion older than version 10 Update 14 (or ColdFusion 11 Update 2 and older). All of that being said, there is a workaround that uses a 3rd party commercial solution to make TLS 1.2 connections from ColdFusion 9. It works well, but I do not recommend that as a long term solution. The preferred long term solution is upgrading the server(s) and ColdFusion version to currently supported versions. This way there will be security updates to help protect against new threats. The commercial third-party CFX tag will require recoding the CFHTTP calls for the new CFX tag. The tag is CFX_HTTP5 and it is available here.

Follow the installation instructions that comes with the download and then you will have to recode your CFHTTP calls similar to the examples below. The code examples are for the older Authorize.NET Advanced Integration Method (AIM) API calls that you are most likely using in your older ColdFusion CFHTTP calls.

view plain print about
1<cfset authURL = "https://test.authorize.net/gateway/transact.dll" />
2 <cfif AuthNetMode eq "live">
3 <cfset authURL = "https://secure.authorize.net/gateway/transact.dll" />
4 </cfif>
5
6<!--- CFHTTP Call - Your code might look something like this --->
7<cfhttp url="#authURL#" method="post" result="cfhttp">
8 <cfhttpparam type="FORMFIELD" name="x_Login" value="#AuthLogin#">
9 <cfhttpparam type="FORMFIELD" name="x_Password" value="#AuthPassword#">
10 <cfhttpparam type="FORMFIELD" name="x_merchant_email" value="#AuthEmail#">
11 <cfhttpparam type="FORMFIELD" name="x_delim_data" value="true">
12 <cfhttpparam type="FORMFIELD" name="x_test_request" value="#x_test_request#">
13
14 <!--- we're using AUTH_ONLY so the card isn't charged until the order is processed --->
15 <cfhttpparam type="FORMFIELD" name="x_type" value="AUTH_ONLY">
16 <cfhttpparam type="FORMFIELD" name="x_method" value="cc">
17
18 <cfhttpparam type="FORMFIELD" name="x_amount" value="#orderTotal#">
19 <cfhttpparam type="FORMFIELD" name="x_card_num" value="#cardNumber#">
20 <cfhttpparam type="FORMFIELD" name="x_exp_date" value="#cardExpiration#">
21 <cfif isDefined("cardSecurityCode") and cardSecurityCode eq "">
22 <cfhttpparam type="FORMFIELD" name="x_card_code" value="#cardSecurityCode#">
23 </cfif>
24
25 <!--- If you want an email to go to the customer via authorize.net
26change this to true. Make sure authorize.net is configured properly. --->

27 <cfhttpparam type="FORMFIELD" name="x_email_customer" value="#x_email_customer#">
28
29 <cfhttpparam type="FORMFIELD" name="x_first_name" value="#billingFirstName#">
30 <cfhttpparam type="FORMFIELD" name="x_last_name" value="#billingLastName#">
31 <cfhttpparam type="FORMFIELD" name="x_company" value="#billingCompany#">
32 <cfhttpparam type="FORMFIELD" name="x_address" value="#billingAddress#">
33 <cfhttpparam type="FORMFIELD" name="x_city" value="#billingCity#">
34 <cfhttpparam type="FORMFIELD" name="x_state" value="#billingState#">
35 <cfhttpparam type="FORMFIELD" name="x_zip" value="#billingZip#">
36 <cfhttpparam type="FORMFIELD" name="x_country" value="#billingCountry#">
37
38 <cfhttpparam type="FORMFIELD" name="x_customer_ip" value="#cgi.remote_address#">
39 <cfhttpparam type="FORMFIELD" name="x_Email" value="#billingEmail#">
40 <cfhttpparam type="FORMFIELD" name="x_Phone" value="#billingPhone#">
41
42 <cfhttpparam type="FORMFIELD" name="x_ship_to_first_name" value="#shippingFirstName#">
43 <cfhttpparam type="FORMFIELD" name="x_ship_to_last_name" value="#shippingLastName#">
44 <cfhttpparam type="FORMFIELD" name="x_ship_to_company" value="#shippingCompany#">
45 <cfhttpparam type="FORMFIELD" name="x_ship_to_address" value="#shippingAddress#">
46 <cfhttpparam type="FORMFIELD" name="x_ship_to_city" value="#shippingCity#">
47 <cfhttpparam type="FORMFIELD" name="x_ship_to_state" value="#shippingState#">
48 <cfhttpparam type="FORMFIELD" name="x_ship_to_zip" value="#shippingZip#">
49 <cfhttpparam type="FORMFIELD" name="x_ship_to_country" value="#shippingCountry#">
50 <cfhttpparam type="FORMFIELD" name="x_Description" value="#description#">
51 <cfhttpparam type="FORMFIELD" name="x_invoice_num" value="#invoicenum#">
52 </cfhttp>
53
54 <cfset response = cfhttp.fileContent>

To refactor your code you will want to do something like this.

view plain print about
1<cfset authURL = "https://test.authorize.net/gateway/transact.dll" />
2 <cfif AuthNetMode eq "live">
3 <cfset authURL = "https://secure.authorize.net/gateway/transact.dll" />
4 </cfif>
5<!--- CFX_HTTP5 Call - You'll want to refactor your code in this fashion --->
6
7<cfset httpBody = "x_Login=#AuthLogin#&
8 x_Password=#AuthPassword#&
9 x_merchant_email=#AuthEmail#&
10 x_delim_data=true&
11 x_test_request=#x_test_request#&
12 x_type=AUTH_ONLY&
13 x_method=cc&
14 x_amount=#orderTotal#&
15 x_card_num=#cardNumber#&
16 x_exp_date=#cardExpiration#&
17 x_first_name=#billingFirstName#&
18 x_last_name=#billingLastName#&
19 x_company=#billingCompany#&
20 x_address=#billingAddress#&
21 x_city=#billingCity#&
22 x_state=#billingState#&
23 x_zip=#billingZip#&
24 x_country=#billingCountry#&
25 x_customer_ip=#cgi.remote_address#&
26 x_Email=#billingEmail#&
27 x_Phone=#billingPhone#&
28 x_ship_to_first_name=#shippingFirstName#&
29 x_ship_to_last_name=#shippingLastName#&
30 x_ship_to_company=#shippingCompany#&
31 x_ship_to_address=#shippingAddress#&
32 x_ship_to_city=#shippingCity#&
33 x_ship_to_state=#shippingState#&
34 x_ship_to_zip=#shippingZip#&
35 x_ship_to_country=#shippingCountry#&
36 x_Description=#description#&
37 x_invoice_num=#invoicenum#"
>

38
39 <!--- If you want an email to go to the customer via authorize.net
40change this to true. Make sure authorize.net is configured properly. --->

41 <cfset httpBody = httpBody & "&x_email_customer=#x_email_customer#">
42
43 <cfif isDefined("cardSecurityCode") and cardSecurityCode neq "">
44 <cfset httpBody = httpBody & "&x_card_code=#cardSecurityCode#">
45 </cfif>
46
47 <cfset cfxhttp = {}>
48 <cfset headers = "Content-Type: application/x-www-form-urlencoded">
49 <cfx_http5 url="#authURL#" method="post" out="cfxhttp.body" outqhead="cfxhttp.QHEAD" outhead="cfxhttp.RHEAD" ssl="5" body="#httpBody#" header="#headers#">
50 </cfx_http5>
51
52 <cfset response = cfxhttp.body>

The code is a minor change and relatively easy to do. I've tested this method in a production environment and it works fine. I do not recommend this as a long term solution. The preferred long term solution is upgrading the server(s) and ColdFusion version to currently supported versions. This way there will be security updates to help protect against new threats. If you are on ColdFusion 10 or 11 then the best option is to install the ColdFusion patches and upgrade the Java version to 1.8 then you will be good to go. If you need an experience ColdFusion developer to make these changes then please do contact us, we will be happy to assist.

This is one more friendly reminder to make sure your ColdFusion servers are patched! Either patch them yourself, have your hosting provider patch them. If you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

UPDATE: This fix will not work for Windows 2003 Server as there is no support from Microsoft for TLS 1.1 or 1.2 in this server version.

Authorize.NET Temporarily Ending TLS 1.1 and TLS 1.0 Support, is your ColdFusion Server Ready?

At CF Webtools we have been preparing for this inevitable day for the past few years. We've been upgrading our clients servers and services to handle TLS 1.2 calls to Authorize.Net and other third party processors for a while now. Recently Authorize.Net announced a "Temporary Disablement of TLS 1.0/1.1" for "a few hours on January 30, 2018 and then again on February 8, 2018." This is in preparation for the final disablement of TLS1.0/1.1 on February 28, 2018.

As you may be aware, new PCI DSS requirements state that all payment systems must disable earlier versions of TLS protocols. These older protocols, TLS 1.0 and TLS 1.1, are highly vulnerable to security breaches and will be disabled by Authorize.Net on February 28, 2018.

To help you identify if you're using one of the older TLS protocols, Authorize.Net will temporarily disable those connections for a few hours on January 30, 2018 and then again on February 8, 2018.

Based on the API connection you are using, on either one of these two days you will not be able to process transactions for a short period of time. If you don't know which API you're using, your solution provider or development partner might be a good resource to help identify it. This disablement will occur on one of the following dates and time:

  • Akamai-enabled API connections will occur on January 30, 2018 between 9:00 AM and 1:00 PM Pacific time.
  • All other API connections will occur on February 8, 2018 between 11:00 AM and 1:00 PM Pacific time.
Merchants using TLS 1.2 by these dates will not be affected by the temporary disablement. We strongly recommend that connections still using TLS 1.0 or TLS 1.1 be updated as soon as possible to the stronger TLS 1.2 protocol.

This means that if you are using older methods to make calls to Authorize.Net that are not capable of making TLS 1.2 connections then you will NOT be able to process credit card transactions.

This affects ALL ColdFusion versions 9.0.2 and older! This also affects ColdFusion 10 Update 17 and older. If your server is running any of these older versions of ColdFusion and your server is processing credit cards with Authorize.Net then this advisory applies to your server.

CF Webtools has been successfully mitigating this issue for clients servers for the past couple years and we are very experienced in resolving these security related issues. In a previous blog post I tested which TLS levels were supported by various ColdFusion versions on various Java versions and produced an easy to read chart.

If your ColdFusion server is affected by this or if you do not know if your ColdFusion server is affected by this then please contact us (much) sooner than later. Our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

More Entries