Re: Work Around for SSLv3 Vulnerability?
Well thank you for writing this. Hopefully it helps others. On Saturday, December 13, 2014, Wil Genovese jugg...@trunkful.com wrote: Well you question was one of the reasons I did the research. We had several clients at CF Webtools and a few at other hosting companies that needed to know for sure how CFHTTP and SSL was working. Regards, Wil Sent from a hand held device that autocorrects my typos in a mist humorous fashion. ð On Dec 13, 2014, at 6:06 PM, Michael Grant mgr...@modus.bz javascript:; wrote: Wow I could've used this four weeks ago! Haha. Good article. On Monday, December 8, 2014, Wil Genovese jugg...@trunkful.com javascript:; wrote: I just published blog posts today on how to prevent ColdFusion from falling back to SSLv3 with CFHTTP. http://www.trunkful.com/index.cfm/2014/12/8/Preventing-SSLv3-Fallback-in-ColdFusion http://www.coldfusionmuse.com/index.cfm/2014/12/8/colfusion-jvm-versions-sslv3-tls Enjoy! Wil Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com javascript:; javascript:; www.trunkful.com On Nov 19, 2014, at 6:49 PM, Russ Michaels r...@michaels.me.uk javascript:; javascript:; wrote: were on CF9 On Thu, Nov 20, 2014 at 12:16 AM, Wil Genovese jugg...@trunkful.com javascript:; javascript:; wrote: This is the Adobe bug report about Solr breaking with Java 1.7.0_51 and higher when sandboxes are enabled. This was just fixed in Update 14 for CF10. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com javascript:; javascript:; www.trunkful.com On Nov 19, 2014, at 4:28 PM, Russ Michaels r...@michaels.me.uk javascript:; javascript:; wrote: no I haven't seen it, I even emailed Adobe about it directly and got no reply On Wed, Nov 19, 2014 at 9:49 PM, Michael Grant mgr...@modus.bz javascript:; javascript:; wrote: I appreciate your feedback Russ. Thank you. From what I've read there does seem to be a fix to the broken SOLR collections. Have you seen this? On Wed, Nov 19, 2014 at 10:20 AM, Russ Michaels r...@michaels.me.uk javascript:; javascript:; wrote: if you are on a shared server then it would be an issue for others who are using SOLR, which would then require the host to roll back to 1.6, which would then cause your problem again. Judging by the fact that you said you had to convince them to do this, I assume it is a shared server, otherwise you would have been free to do it yourself had it been your own server. Thus why I am suggesting you check this rather than just dismiss it because it doesn't affect you, as when on a shared server you have to consider everyone. On Wed, Nov 19, 2014 at 12:24 AM, Michael Grant mgr...@modus.bz javascript:; javascript:; wrote: Hi Russ, I don't use SOLR so this isn't an issue for my use case. On Tue, Nov 18, 2014 at 11:57 AM, Russ Michaels r...@michaels.me.uk javascript:; javascript:; wrote: did you check if SOLR still works after the upgrade ? On Tue, Nov 18, 2014 at 3:00 PM, Michael Grant mgr...@modus.bz javascript:; javascript:; wrote: I finally have an update here. After much back and forth and having to REALLY make a case for why I was able to convince Newtek to update their CF servers to run Java 1.7 instead of 1.6. This had an immediate positive result and the SSL handshake was able to proceed properly with TLS. Thanks to all that helped. Mike On Sat, Nov 1, 2014 at 3:42 PM, Michael Grant mgr...@modus.bz javascript:; javascript:; wrote: Just a heads up to everyone, I'm still waiting to hear back from Newtek about whether they've reimported the certs and CA cert again. Once I have some news I'll post back. Thanks again everyone for your guidance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359843 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
Wow I could've used this four weeks ago! Haha. Good article. On Monday, December 8, 2014, Wil Genovese jugg...@trunkful.com wrote: I just published blog posts today on how to prevent ColdFusion from falling back to SSLv3 with CFHTTP. http://www.trunkful.com/index.cfm/2014/12/8/Preventing-SSLv3-Fallback-in-ColdFusion http://www.coldfusionmuse.com/index.cfm/2014/12/8/colfusion-jvm-versions-sslv3-tls Enjoy! Wil Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com javascript:; www.trunkful.com On Nov 19, 2014, at 6:49 PM, Russ Michaels r...@michaels.me.uk javascript:; wrote: were on CF9 On Thu, Nov 20, 2014 at 12:16 AM, Wil Genovese jugg...@trunkful.com javascript:; wrote: This is the Adobe bug report about Solr breaking with Java 1.7.0_51 and higher when sandboxes are enabled. This was just fixed in Update 14 for CF10. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com javascript:; www.trunkful.com On Nov 19, 2014, at 4:28 PM, Russ Michaels r...@michaels.me.uk javascript:; wrote: no I haven't seen it, I even emailed Adobe about it directly and got no reply On Wed, Nov 19, 2014 at 9:49 PM, Michael Grant mgr...@modus.bz javascript:; wrote: I appreciate your feedback Russ. Thank you. From what I've read there does seem to be a fix to the broken SOLR collections. Have you seen this? On Wed, Nov 19, 2014 at 10:20 AM, Russ Michaels r...@michaels.me.uk javascript:; wrote: if you are on a shared server then it would be an issue for others who are using SOLR, which would then require the host to roll back to 1.6, which would then cause your problem again. Judging by the fact that you said you had to convince them to do this, I assume it is a shared server, otherwise you would have been free to do it yourself had it been your own server. Thus why I am suggesting you check this rather than just dismiss it because it doesn't affect you, as when on a shared server you have to consider everyone. On Wed, Nov 19, 2014 at 12:24 AM, Michael Grant mgr...@modus.bz javascript:; wrote: Hi Russ, I don't use SOLR so this isn't an issue for my use case. On Tue, Nov 18, 2014 at 11:57 AM, Russ Michaels r...@michaels.me.uk javascript:; wrote: did you check if SOLR still works after the upgrade ? On Tue, Nov 18, 2014 at 3:00 PM, Michael Grant mgr...@modus.bz javascript:; wrote: I finally have an update here. After much back and forth and having to REALLY make a case for why I was able to convince Newtek to update their CF servers to run Java 1.7 instead of 1.6. This had an immediate positive result and the SSL handshake was able to proceed properly with TLS. Thanks to all that helped. Mike On Sat, Nov 1, 2014 at 3:42 PM, Michael Grant mgr...@modus.bz javascript:; wrote: Just a heads up to everyone, I'm still waiting to hear back from Newtek about whether they've reimported the certs and CA cert again. Once I have some news I'll post back. Thanks again everyone for your guidance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359841 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
Well you question was one of the reasons I did the research. We had several clients at CF Webtools and a few at other hosting companies that needed to know for sure how CFHTTP and SSL was working. Regards, Wil Sent from a hand held device that autocorrects my typos in a mist humorous fashion. ð On Dec 13, 2014, at 6:06 PM, Michael Grant mgr...@modus.bz wrote: Wow I could've used this four weeks ago! Haha. Good article. On Monday, December 8, 2014, Wil Genovese jugg...@trunkful.com wrote: I just published blog posts today on how to prevent ColdFusion from falling back to SSLv3 with CFHTTP. http://www.trunkful.com/index.cfm/2014/12/8/Preventing-SSLv3-Fallback-in-ColdFusion http://www.coldfusionmuse.com/index.cfm/2014/12/8/colfusion-jvm-versions-sslv3-tls Enjoy! Wil Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com javascript:; www.trunkful.com On Nov 19, 2014, at 6:49 PM, Russ Michaels r...@michaels.me.uk javascript:; wrote: were on CF9 On Thu, Nov 20, 2014 at 12:16 AM, Wil Genovese jugg...@trunkful.com javascript:; wrote: This is the Adobe bug report about Solr breaking with Java 1.7.0_51 and higher when sandboxes are enabled. This was just fixed in Update 14 for CF10. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com javascript:; www.trunkful.com On Nov 19, 2014, at 4:28 PM, Russ Michaels r...@michaels.me.uk javascript:; wrote: no I haven't seen it, I even emailed Adobe about it directly and got no reply On Wed, Nov 19, 2014 at 9:49 PM, Michael Grant mgr...@modus.bz javascript:; wrote: I appreciate your feedback Russ. Thank you. From what I've read there does seem to be a fix to the broken SOLR collections. Have you seen this? On Wed, Nov 19, 2014 at 10:20 AM, Russ Michaels r...@michaels.me.uk javascript:; wrote: if you are on a shared server then it would be an issue for others who are using SOLR, which would then require the host to roll back to 1.6, which would then cause your problem again. Judging by the fact that you said you had to convince them to do this, I assume it is a shared server, otherwise you would have been free to do it yourself had it been your own server. Thus why I am suggesting you check this rather than just dismiss it because it doesn't affect you, as when on a shared server you have to consider everyone. On Wed, Nov 19, 2014 at 12:24 AM, Michael Grant mgr...@modus.bz javascript:; wrote: Hi Russ, I don't use SOLR so this isn't an issue for my use case. On Tue, Nov 18, 2014 at 11:57 AM, Russ Michaels r...@michaels.me.uk javascript:; wrote: did you check if SOLR still works after the upgrade ? On Tue, Nov 18, 2014 at 3:00 PM, Michael Grant mgr...@modus.bz javascript:; wrote: I finally have an update here. After much back and forth and having to REALLY make a case for why I was able to convince Newtek to update their CF servers to run Java 1.7 instead of 1.6. This had an immediate positive result and the SSL handshake was able to proceed properly with TLS. Thanks to all that helped. Mike On Sat, Nov 1, 2014 at 3:42 PM, Michael Grant mgr...@modus.bz javascript:; wrote: Just a heads up to everyone, I'm still waiting to hear back from Newtek about whether they've reimported the certs and CA cert again. Once I have some news I'll post back. Thanks again everyone for your guidance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359842 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
I just published blog posts today on how to prevent ColdFusion from falling back to SSLv3 with CFHTTP. http://www.trunkful.com/index.cfm/2014/12/8/Preventing-SSLv3-Fallback-in-ColdFusion http://www.coldfusionmuse.com/index.cfm/2014/12/8/colfusion-jvm-versions-sslv3-tls Enjoy! Wil Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Nov 19, 2014, at 6:49 PM, Russ Michaels r...@michaels.me.uk wrote: were on CF9 On Thu, Nov 20, 2014 at 12:16 AM, Wil Genovese jugg...@trunkful.com wrote: This is the Adobe bug report about Solr breaking with Java 1.7.0_51 and higher when sandboxes are enabled. This was just fixed in Update 14 for CF10. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Nov 19, 2014, at 4:28 PM, Russ Michaels r...@michaels.me.uk wrote: no I haven't seen it, I even emailed Adobe about it directly and got no reply On Wed, Nov 19, 2014 at 9:49 PM, Michael Grant mgr...@modus.bz wrote: I appreciate your feedback Russ. Thank you. From what I've read there does seem to be a fix to the broken SOLR collections. Have you seen this? On Wed, Nov 19, 2014 at 10:20 AM, Russ Michaels r...@michaels.me.uk wrote: if you are on a shared server then it would be an issue for others who are using SOLR, which would then require the host to roll back to 1.6, which would then cause your problem again. Judging by the fact that you said you had to convince them to do this, I assume it is a shared server, otherwise you would have been free to do it yourself had it been your own server. Thus why I am suggesting you check this rather than just dismiss it because it doesn't affect you, as when on a shared server you have to consider everyone. On Wed, Nov 19, 2014 at 12:24 AM, Michael Grant mgr...@modus.bz wrote: Hi Russ, I don't use SOLR so this isn't an issue for my use case. On Tue, Nov 18, 2014 at 11:57 AM, Russ Michaels r...@michaels.me.uk wrote: did you check if SOLR still works after the upgrade ? On Tue, Nov 18, 2014 at 3:00 PM, Michael Grant mgr...@modus.bz wrote: I finally have an update here. After much back and forth and having to REALLY make a case for why I was able to convince Newtek to update their CF servers to run Java 1.7 instead of 1.6. This had an immediate positive result and the SSL handshake was able to proceed properly with TLS. Thanks to all that helped. Mike On Sat, Nov 1, 2014 at 3:42 PM, Michael Grant mgr...@modus.bz wrote: Just a heads up to everyone, I'm still waiting to hear back from Newtek about whether they've reimported the certs and CA cert again. Once I have some news I'll post back. Thanks again everyone for your guidance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359773 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
if you are on a shared server then it would be an issue for others who are using SOLR, which would then require the host to roll back to 1.6, which would then cause your problem again. Judging by the fact that you said you had to convince them to do this, I assume it is a shared server, otherwise you would have been free to do it yourself had it been your own server. Thus why I am suggesting you check this rather than just dismiss it because it doesn't affect you, as when on a shared server you have to consider everyone. On Wed, Nov 19, 2014 at 12:24 AM, Michael Grant mgr...@modus.bz wrote: Hi Russ, I don't use SOLR so this isn't an issue for my use case. On Tue, Nov 18, 2014 at 11:57 AM, Russ Michaels r...@michaels.me.uk wrote: did you check if SOLR still works after the upgrade ? On Tue, Nov 18, 2014 at 3:00 PM, Michael Grant mgr...@modus.bz wrote: I finally have an update here. After much back and forth and having to REALLY make a case for why I was able to convince Newtek to update their CF servers to run Java 1.7 instead of 1.6. This had an immediate positive result and the SSL handshake was able to proceed properly with TLS. Thanks to all that helped. Mike On Sat, Nov 1, 2014 at 3:42 PM, Michael Grant mgr...@modus.bz wrote: Just a heads up to everyone, I'm still waiting to hear back from Newtek about whether they've reimported the certs and CA cert again. Once I have some news I'll post back. Thanks again everyone for your guidance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359677 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
I appreciate your feedback Russ. Thank you. From what I've read there does seem to be a fix to the broken SOLR collections. Have you seen this? On Wed, Nov 19, 2014 at 10:20 AM, Russ Michaels r...@michaels.me.uk wrote: if you are on a shared server then it would be an issue for others who are using SOLR, which would then require the host to roll back to 1.6, which would then cause your problem again. Judging by the fact that you said you had to convince them to do this, I assume it is a shared server, otherwise you would have been free to do it yourself had it been your own server. Thus why I am suggesting you check this rather than just dismiss it because it doesn't affect you, as when on a shared server you have to consider everyone. On Wed, Nov 19, 2014 at 12:24 AM, Michael Grant mgr...@modus.bz wrote: Hi Russ, I don't use SOLR so this isn't an issue for my use case. On Tue, Nov 18, 2014 at 11:57 AM, Russ Michaels r...@michaels.me.uk wrote: did you check if SOLR still works after the upgrade ? On Tue, Nov 18, 2014 at 3:00 PM, Michael Grant mgr...@modus.bz wrote: I finally have an update here. After much back and forth and having to REALLY make a case for why I was able to convince Newtek to update their CF servers to run Java 1.7 instead of 1.6. This had an immediate positive result and the SSL handshake was able to proceed properly with TLS. Thanks to all that helped. Mike On Sat, Nov 1, 2014 at 3:42 PM, Michael Grant mgr...@modus.bz wrote: Just a heads up to everyone, I'm still waiting to hear back from Newtek about whether they've reimported the certs and CA cert again. Once I have some news I'll post back. Thanks again everyone for your guidance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359680 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
no I haven't seen it, I even emailed Adobe about it directly and got no reply On Wed, Nov 19, 2014 at 9:49 PM, Michael Grant mgr...@modus.bz wrote: I appreciate your feedback Russ. Thank you. From what I've read there does seem to be a fix to the broken SOLR collections. Have you seen this? On Wed, Nov 19, 2014 at 10:20 AM, Russ Michaels r...@michaels.me.uk wrote: if you are on a shared server then it would be an issue for others who are using SOLR, which would then require the host to roll back to 1.6, which would then cause your problem again. Judging by the fact that you said you had to convince them to do this, I assume it is a shared server, otherwise you would have been free to do it yourself had it been your own server. Thus why I am suggesting you check this rather than just dismiss it because it doesn't affect you, as when on a shared server you have to consider everyone. On Wed, Nov 19, 2014 at 12:24 AM, Michael Grant mgr...@modus.bz wrote: Hi Russ, I don't use SOLR so this isn't an issue for my use case. On Tue, Nov 18, 2014 at 11:57 AM, Russ Michaels r...@michaels.me.uk wrote: did you check if SOLR still works after the upgrade ? On Tue, Nov 18, 2014 at 3:00 PM, Michael Grant mgr...@modus.bz wrote: I finally have an update here. After much back and forth and having to REALLY make a case for why I was able to convince Newtek to update their CF servers to run Java 1.7 instead of 1.6. This had an immediate positive result and the SSL handshake was able to proceed properly with TLS. Thanks to all that helped. Mike On Sat, Nov 1, 2014 at 3:42 PM, Michael Grant mgr...@modus.bz wrote: Just a heads up to everyone, I'm still waiting to hear back from Newtek about whether they've reimported the certs and CA cert again. Once I have some news I'll post back. Thanks again everyone for your guidance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359681 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
This is the Adobe bug report about Solr breaking with Java 1.7.0_51 and higher when sandboxes are enabled. This was just fixed in Update 14 for CF10. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Nov 19, 2014, at 4:28 PM, Russ Michaels r...@michaels.me.uk wrote: no I haven't seen it, I even emailed Adobe about it directly and got no reply On Wed, Nov 19, 2014 at 9:49 PM, Michael Grant mgr...@modus.bz wrote: I appreciate your feedback Russ. Thank you. From what I've read there does seem to be a fix to the broken SOLR collections. Have you seen this? On Wed, Nov 19, 2014 at 10:20 AM, Russ Michaels r...@michaels.me.uk wrote: if you are on a shared server then it would be an issue for others who are using SOLR, which would then require the host to roll back to 1.6, which would then cause your problem again. Judging by the fact that you said you had to convince them to do this, I assume it is a shared server, otherwise you would have been free to do it yourself had it been your own server. Thus why I am suggesting you check this rather than just dismiss it because it doesn't affect you, as when on a shared server you have to consider everyone. On Wed, Nov 19, 2014 at 12:24 AM, Michael Grant mgr...@modus.bz wrote: Hi Russ, I don't use SOLR so this isn't an issue for my use case. On Tue, Nov 18, 2014 at 11:57 AM, Russ Michaels r...@michaels.me.uk wrote: did you check if SOLR still works after the upgrade ? On Tue, Nov 18, 2014 at 3:00 PM, Michael Grant mgr...@modus.bz wrote: I finally have an update here. After much back and forth and having to REALLY make a case for why I was able to convince Newtek to update their CF servers to run Java 1.7 instead of 1.6. This had an immediate positive result and the SSL handshake was able to proceed properly with TLS. Thanks to all that helped. Mike On Sat, Nov 1, 2014 at 3:42 PM, Michael Grant mgr...@modus.bz wrote: Just a heads up to everyone, I'm still waiting to hear back from Newtek about whether they've reimported the certs and CA cert again. Once I have some news I'll post back. Thanks again everyone for your guidance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359682 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
were on CF9 On Thu, Nov 20, 2014 at 12:16 AM, Wil Genovese jugg...@trunkful.com wrote: This is the Adobe bug report about Solr breaking with Java 1.7.0_51 and higher when sandboxes are enabled. This was just fixed in Update 14 for CF10. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Nov 19, 2014, at 4:28 PM, Russ Michaels r...@michaels.me.uk wrote: no I haven't seen it, I even emailed Adobe about it directly and got no reply On Wed, Nov 19, 2014 at 9:49 PM, Michael Grant mgr...@modus.bz wrote: I appreciate your feedback Russ. Thank you. From what I've read there does seem to be a fix to the broken SOLR collections. Have you seen this? On Wed, Nov 19, 2014 at 10:20 AM, Russ Michaels r...@michaels.me.uk wrote: if you are on a shared server then it would be an issue for others who are using SOLR, which would then require the host to roll back to 1.6, which would then cause your problem again. Judging by the fact that you said you had to convince them to do this, I assume it is a shared server, otherwise you would have been free to do it yourself had it been your own server. Thus why I am suggesting you check this rather than just dismiss it because it doesn't affect you, as when on a shared server you have to consider everyone. On Wed, Nov 19, 2014 at 12:24 AM, Michael Grant mgr...@modus.bz wrote: Hi Russ, I don't use SOLR so this isn't an issue for my use case. On Tue, Nov 18, 2014 at 11:57 AM, Russ Michaels r...@michaels.me.uk wrote: did you check if SOLR still works after the upgrade ? On Tue, Nov 18, 2014 at 3:00 PM, Michael Grant mgr...@modus.bz wrote: I finally have an update here. After much back and forth and having to REALLY make a case for why I was able to convince Newtek to update their CF servers to run Java 1.7 instead of 1.6. This had an immediate positive result and the SSL handshake was able to proceed properly with TLS. Thanks to all that helped. Mike On Sat, Nov 1, 2014 at 3:42 PM, Michael Grant mgr...@modus.bz wrote: Just a heads up to everyone, I'm still waiting to hear back from Newtek about whether they've reimported the certs and CA cert again. Once I have some news I'll post back. Thanks again everyone for your guidance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359684 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
I finally have an update here. After much back and forth and having to REALLY make a case for why I was able to convince Newtek to update their CF servers to run Java 1.7 instead of 1.6. This had an immediate positive result and the SSL handshake was able to proceed properly with TLS. Thanks to all that helped. Mike On Sat, Nov 1, 2014 at 3:42 PM, Michael Grant mgr...@modus.bz wrote: Just a heads up to everyone, I'm still waiting to hear back from Newtek about whether they've reimported the certs and CA cert again. Once I have some news I'll post back. Thanks again everyone for your guidance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359655 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
did you check if SOLR still works after the upgrade ? On Tue, Nov 18, 2014 at 3:00 PM, Michael Grant mgr...@modus.bz wrote: I finally have an update here. After much back and forth and having to REALLY make a case for why I was able to convince Newtek to update their CF servers to run Java 1.7 instead of 1.6. This had an immediate positive result and the SSL handshake was able to proceed properly with TLS. Thanks to all that helped. Mike On Sat, Nov 1, 2014 at 3:42 PM, Michael Grant mgr...@modus.bz wrote: Just a heads up to everyone, I'm still waiting to hear back from Newtek about whether they've reimported the certs and CA cert again. Once I have some news I'll post back. Thanks again everyone for your guidance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359656 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
did you check if SOLR still works after the upgrade ? Doesn't Solr use a separate JVM? Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359657 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
Hi Russ, I don't use SOLR so this isn't an issue for my use case. On Tue, Nov 18, 2014 at 11:57 AM, Russ Michaels r...@michaels.me.uk wrote: did you check if SOLR still works after the upgrade ? On Tue, Nov 18, 2014 at 3:00 PM, Michael Grant mgr...@modus.bz wrote: I finally have an update here. After much back and forth and having to REALLY make a case for why I was able to convince Newtek to update their CF servers to run Java 1.7 instead of 1.6. This had an immediate positive result and the SSL handshake was able to proceed properly with TLS. Thanks to all that helped. Mike On Sat, Nov 1, 2014 at 3:42 PM, Michael Grant mgr...@modus.bz wrote: Just a heads up to everyone, I'm still waiting to hear back from Newtek about whether they've reimported the certs and CA cert again. Once I have some news I'll post back. Thanks again everyone for your guidance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359670 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
Just a heads up to everyone, I'm still waiting to hear back from Newtek about whether they've reimported the certs and CA cert again. Once I have some news I'll post back. Thanks again everyone for your guidance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359550 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
The SSL handshake handled by the JVM (though there might be some config that takes place in the CF engine, not sure), Java 6 supports only TLS 1.0, java 7 adds support for TLS 1.1 and 1.2. The actual crypto parts of it is handled by the JCE (java cryptography engine) which if you are running Enterprise is RSA Bafe CryptoJ. That other thing that comes into play is the SSL cipher suite support, so it is possible that the JVM and the server cant' find a protocol and cipher suite that they both support. There are also some JVM arguments you can use to tell the JVM which protocols to use, here is the reference doc for Java7: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization you might try setting -Dhttps.protocols=TLSv1 not sure if that will help, I think the CF engine *may* overrides the property (in some versions of CF). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Oct 30, 2014 at 9:07 PM, Michael Grant mgr...@modus.bz wrote: I'll try that with them, thank you SO much. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359548 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
if upgrading to Java 7 solves the issue, do also note that this also breaks SOLR on CF9, or rather CF can no longer communicate with SOLR, so none of your colelctions will be accessible. I have contacted Adobe about this, but as usual no response, and with CF9 EOL pending I doubt they ever will. On Fri, Oct 31, 2014 at 2:52 PM, Pete Freitag p...@foundeo.com wrote: The SSL handshake handled by the JVM (though there might be some config that takes place in the CF engine, not sure), Java 6 supports only TLS 1.0, java 7 adds support for TLS 1.1 and 1.2. The actual crypto parts of it is handled by the JCE (java cryptography engine) which if you are running Enterprise is RSA Bafe CryptoJ. That other thing that comes into play is the SSL cipher suite support, so it is possible that the JVM and the server cant' find a protocol and cipher suite that they both support. There are also some JVM arguments you can use to tell the JVM which protocols to use, here is the reference doc for Java7: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization you might try setting -Dhttps.protocols=TLSv1 not sure if that will help, I think the CF engine *may* overrides the property (in some versions of CF). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Oct 30, 2014 at 9:07 PM, Michael Grant mgr...@modus.bz wrote: I'll try that with them, thank you SO much. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359549 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
What's preventing it from negotiating to an earlier version of SSL? Settings in the keystore? On 10/30/14, 3:36 PM, Michael Grant wrote: I have a legacy app on CF9 (originally CF7) which uses CFHTTP to make a secure connection to Chase Paymentech's Orbital payment gateway. I have the SSL's installed into the Java keystore like I'm supposed to and for about 7 years this app has been working as expected. Fast forward to a few days ago and my host disabled SSLv3, as the world has been instructed to do to thwart the POODLE vulnerability. The moment they did that my app no longer can process transactions. I get the classic COM.Allaire.ColdFusion.HTTPFailure type error with the message Connection Failure: Status code unavailable. This isn't the typical message of when you don't have the cert installed where it says peer could not be authenticated. According to tech support it's only with CF that disabling SSLv3 stops communication. Apparently others don't have this issue. Does anyone know of a work around? I'm not sure if CF9 is the problem or CF as a whole. Would upgrading to CF10 help? I'm in a real bind here as the client hasn't been able to process ecommerce transactions for a few days now. Any help is appreciated. Here's the cfhttp code: cfhttp url=https://orbital1.paymentech.net; method=post throwonerror=yes port=443 cfhttpparam type=body value=#transInfo#!--- XML request var--- cfhttpparam type=header name=MIME-Version value=1.0 cfhttpparam type=header name=Content-type value=application/PTI43 cfhttpparam type=header name=Content-length value=#Len(Trim(transInfo))# cfhttpparam type=header name=Content-transfer-encoding value=text cfhttpparam type=header name=Request-numbervalue=1 cfhttpparam type=header name=Document-type value=Request cfhttpparam type=header name=Merchant-id value=#merchantID# cfhttpparam type=header name=Interface-Version value=2.2.0 cfhttpparam type=header name=Accept value=application/xml /cfhttp ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359542 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
I was able to communicate with their server using TLSv1: = jordan@jordan-M61P-S3:~$ curl -v --tlsv1.0 https://orbital1.paymentech.net/ * Hostname was NOT found in DNS cache * Trying 65.124.118.70... * Connected to orbital1.paymentech.net (65.124.118.70) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA * Server certificate: *subject: C=US; ST=New York; L=New York; O=Chase Paymentech Solutions; OU=Enterprise Web Architecture; CN=orbital1.paymentech.net *start date: 2014-07-03 00:00:00 GMT *expire date: 2015-07-04 23:59:59 GMT *subjectAltName: orbital1.paymentech.net matched *issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 International Server CA - G3 *SSL certificate verify ok. = TLSv1 is supposedly supported even in CF6, so you should be alright in CF9. I would try re-importing their public KEY and CA into your keystore. Perhaps the key you're using is just too old. Warm Regards, Jordan Michaels Vivio Technologies On 10/30/2014 04:17 PM, .jonah wrote: What's preventing it from negotiating to an earlier version of SSL? Settings in the keystore? On 10/30/14, 3:36 PM, Michael Grant wrote: I have a legacy app on CF9 (originally CF7) which uses CFHTTP to make a secure connection to Chase Paymentech's Orbital payment gateway. I have the SSL's installed into the Java keystore like I'm supposed to and for about 7 years this app has been working as expected. Fast forward to a few days ago and my host disabled SSLv3, as the world has been instructed to do to thwart the POODLE vulnerability. The moment they did that my app no longer can process transactions. I get the classic COM.Allaire.ColdFusion.HTTPFailure type error with the message Connection Failure: Status code unavailable. This isn't the typical message of when you don't have the cert installed where it says peer could not be authenticated. According to tech support it's only with CF that disabling SSLv3 stops communication. Apparently others don't have this issue. Does anyone know of a work around? I'm not sure if CF9 is the problem or CF as a whole. Would upgrading to CF10 help? I'm in a real bind here as the client hasn't been able to process ecommerce transactions for a few days now. Any help is appreciated. Here's the cfhttp code: cfhttp url=https://orbital1.paymentech.net; method=post throwonerror=yes port=443 cfhttpparam type=body value=#transInfo#!--- XML request var--- cfhttpparam type=header name=MIME-Version value=1.0 cfhttpparam type=header name=Content-type value=application/PTI43 cfhttpparam type=header name=Content-length value=#Len(Trim(transInfo))# cfhttpparam type=header name=Content-transfer-encoding value=text cfhttpparam type=header name=Request-numbervalue=1 cfhttpparam type=header name=Document-type value=Request cfhttpparam type=header name=Merchant-id value=#merchantID# cfhttpparam type=header name=Interface-Version value=2.2.0 cfhttpparam type=header name=Accept value=application/xml /cfhttp ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359543 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
I don't know. Newtek is the hosting provider. As soon as they disabled ssl3 it just immediately stopped working. I don't really know what to tell them to do and I'm not sure they have tried all that hard to find a solution. Do you know what setting would determine if it negotiated down or not? I would essentially just share this back to Newtek in the hopes they could help. Mike ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359544 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
Thanks for the reply. Should the cfhttp code I have automatically try tls? Is this something wrong in the Newtek config? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359545 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
Yes, it should auto-negotiate by default, and honestly, I'm not aware of a way to turn off auto-negotiation unless you force a specific protocol (like I did earlier with my curl command). It's also possible that with your payment providers most recent update they might have gone from SHA1 to SHA2 - which would require you to use a new CA. With the specific error you're getting, it *really* makes me think you just need to re-import the public KEY and CA. Please try that, and let us know if that doesn't take care of the issue for you. Warm Regards, Jordan Michaels Vivio Technologies On 10/30/2014 04:47 PM, Michael Grant wrote: Thanks for the reply. Should the cfhttp code I have automatically try tls? Is this something wrong in the Newtek config? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359546 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
I'll try that with them, thank you SO much. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359547 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
