Wildcard and SAN SSL with CFHTTP in ColdFusion

Here at CF Webtools are getting a lot of companies coming to us with various CFHTTP issues. Lately this has been happening even more as SSL has been in the news more and certain SSL protocols and encryption levels have gone away or are on the way out. Most recently Wildcard and Subject Alternative Name certificates have been a concern for those running older ColdFusion servers with older versions of Java.

What is a Wildcard SSL certificates versus a Subject Alternative Name (SAN) certificates?

A wildcard SSL certificate allows for unlimited subdomains to be protected with a single certificate. For example if you owned "example.com" a wildcard would allow you to secure www.example.com, mail.example.com, or admin.example.com. Such a certificate would be issued to *.example.com and it could secure any subdomain of example.com for the device on which it was installed.

A SAN cert allows for multiple domain names to be protected with a single certificate. For example the SSL certificate issued to multiple fully qualified domains such as www.domain.com, www.domain2.com, www.domain3.com. This allows for the SAN SSL to be used for multiple sites on the same server all bound to the same IP Address. This does relate back to Server Name Indication (SNI) for web serves that I talked about a while back. In addition, this article by Thawte is a good primer. Let's take them each in turn.


ColdFusion 8 & 9 CFHTTP still works with Authorize.net

Authorize.net as of May 26th, 2015 upgraded their SSL to SHA-2 (256bit) encryption. See this post. At CF Webtools some of our clients have received this or similar notice.

Important: Security Certificate Upgrades on May 26th

Authorize.Net is upgrading our infrastructure to enhance system performance and security. On May 26, 2015, we are upgrading to new security certificates, which are signed using Security Hash Algorithm 2 (SHA-2) and 2048-bit signatures. Most modern operating systems and web servers support certificates that use SHA-2, however, there is a concern that older software--especially software based on outdated versions of Java--may not.

If any updates are necessary, please refer your web developer to this blog post in our Developer Community, which has all of the certificate information they will need for this update. Our sandbox environment has already been updated so that your developer can validate that your solution will continue to work using SHA-2 signed certificates, prior to May 26th.

After the update is complete on May 26th, any website or payment solution that cannot validate SHA-2 signed certificates will fail to connect to Authorize.Net's servers.

Some have been saying that your ColdFusion 8 CFHTTP using Java 1.6.0_nn will no longer work with Authorize.net. We've found this to not be the case. We have a crack team of ColdFusion Guru's here at CF Webtools and we've been testing for the potential fall out of these and other SSL upgrades for a few months. Personally, I have a testbed system here with ColdFusion versions 8, 9, 10 and 11 and that is setup for testing CFHTTP and SSL issues and I can easily test the same CFHTTP code on each ColdFusion version with each version of Java from 1.6 to 1.8. Another member of our team has been working with support at Authorize.net to ensure the upgrade to their SSL will work with existing ColdFusion 8 on Java 1.6 installations.