CFHTTP and SSL v3

Okay, I have a bit of a critical issue as Authorize.Net is apparently disabling any use of SSL v2.0 and requiring the use of v3.0 (and only giving us about a month to get ready!) To my knowledge, only ColdFusion 8 even supports this, and not sure what the support is in Railo and BlueDragon. Is there any reasonably easy way to do this in CF7 (or even CF6)? I have a LOT of customers still on CF7 and AuthNet is by far the most popular gateway, and I need to find them a solution, as upgrading to CF8 may not be a viable solution for many of them.

---
Mary Jo Sminkey
CFWebstore, ColdFusion-based Ecommerce
http://www.cfwebstore.com



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319425
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

Mary Jo,

You should be able to bypass CFHTTP and use the java libs directly. I took a
gander at the Java samples on the auth.net site for AIM integration and
here's what I came up with. It seems to work fine on CF 7 and It handles the
SSL all right and returns values. But I'm still trying to figure out how to
test and see if it's SSL 3.0 or not (I suspect not). Still, I'm guessing you
could figure out how to specify the exact SSL protocol from the Java docs.
The only question I would have is does 1.4_x support SSL 3.0 natively using
the java.net and java.net.SSL libs or do we need some additional library.
I'm guessing some Java gurus on this list could give us the skinny on that.

FYI - I'm interested in the resolution to this as well. We would have 2 or 3
sites to move to CF 8 quickly if we don't have an easy work around (at least
1 CF Webstore site as well). Let me know if you figure it out and I'll whip
up a blog entry for the community.

-Mark


  _____  

<cfparam name="form.x_login" default=""/>

<cfparam name="form.x_tran_key" default=""/>

<cfparam name="form.x_version" default="3.1"/>
<cfparam name="form.x_test_request" default="TRUE"/>
<cfparam name="form.x_method" default="CC"/>
<cfparam name="form.x_type" default="AUTH_CAPTURE"/>
<cfparam name="form.x_amount" default="1.00"/>
<cfparam name="form.x_delim_data" default="TRUE"/>
<cfparam name="form.x_delim_char" default="|"/>
<cfparam name="form.x_relay_response" default="FALSE"/>
<cfparam name="form.x_card_num" default="4007000000027"/>
<cfparam name="form.x_exp_date" default="0509"/>
<cfparam name="form.x_description" default="TEST JAVA TRANS"/>


<Cfset str = ''/>
        <cfloop collection="#form#" item="f">
        <Cfset str = str & f & '=' & form[f] & '&'/>
</cfloop>


<Cfoutput>#str#</CFOUTPUT>
<cfscript>
        objUrl = createobject("java","java.net.URL").init("
<https://test.authorize.net/gateway/transact.dll>
https://test.authorize.net/gateway/transact.dll");
        sendstring = '';
        // connection
        conn = objUrl.openConnection();
        //set some props
        conn.setDoOutput(true);
        conn.setUseCaches(false);
 
conn.setRequestProperty("content-Type","application/x-www-form-urlencoded");
        //set ouptput
        dtOut = conn.getOutputStream();
        dtOut.write(Javacast("String",str).toString().getBytes());
        dtOut.flush();
        dtOut.Close();
        // set input
        inS =
createobject("java","java.io.InputStreamReader").init(conn.getInputStream())
;
        inVar = createObject("java","java.io.BufferedReader").init(inS);
        retVar = inVar.readLine();
</cfscript>




Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com

-----Original Message-----
From: Mary Jo Sminkey [ <mailto:maryjos@...>
mailto:maryjos@...]
Sent: Tuesday, February 17, 2009 2:47 PM
To: cf-talk
Subject: CFHTTP and SSL v3


Okay, I have a bit of a critical issue as Authorize.Net is apparently
disabling any use of SSL v2.0 and requiring the use of v3.0 (and only giving
us about a month to get ready!) To my knowledge, only ColdFusion 8 even
supports this, and not sure what the support is in Railo and BlueDragon. Is
there any reasonably easy way to do this in CF7 (or even CF6)? I have a LOT
of customers still on CF7 and AuthNet is by far the most popular gateway,
and I need to find them a solution, as upgrading to CF8 may not be a viable
solution for many of them.

---
Mary Jo Sminkey
CFWebstore, ColdFusion-based Ecommerce
 <http://www.cfwebstore.com> http://www.cfwebstore.com





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319436
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

On Tue, Feb 17, 2009 at 3:46 PM, Mary Jo Sminkey <maryjos@...>wrote:
Where do you read that Mary Jo? I don't see it in merchant area or in
developer docs...


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319438
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

>Where do you read that Mary Jo? I don't see it in merchant area or in
>developer docs...

Yeah, they just kind of dropped this on us with virtually no advanced notice. I've already sent them an email expressing my annoyance at such an extremely short time frame for something that is not just a simple "flip a switch" kind of change....and with no information at all how to test our integrations, what is needed to do this, etc. I'll be interested to see if I get any response. Here's the email I received:

"Important System Notice

Dear Authorize.Net Developer:

During the week of March 16 - 20, 2009, Authorize.Net will be deprecating all legacy support for the SSL 2.0 protocol. Changes have recently been made to the Payment Card Industry Data Security Standard (PCI DSS) which have made the use of SSL 2.0 a PCI DSS violation.

Due to this change, it is critical that you update any applications or integrations that may be using the SSL 2.0 protocol to support the more current SSL 3.0/TLS 1.0 protocols. Failure to upgrade your applications or integrations may result in a lost ability to successfully process transactions via the Authorize.Net Payment Gateway.

If you have merchants who are currently using SSL 2.0 to connect to the Authorize.Net Payment Gateway, you must contact them immediately and arrange to update their integrations to the SSL 3.0/TLS 1.0 protocols.

For more information on the limitations of SSL 2.0 and the advantages of SSL 3.0/TLS 1.0, we recommend reviewing the white paper Analysis of the SSL 3.0 Protocol.

If you have any questions, please contact developer@....

Sincerely,
Authorize.Net "

---
Mary Jo Sminkey
CFWebstore, ColdFusion-based Ecommerce
http://www.cfwebstore.com 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319451
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

>You should be able to bypass CFHTTP and use the java libs directly. I took a
>gander at the Java samples on the auth.net site for AIM integration and
>here's what I came up with. It seems to work fine on CF 7 and It handles the
>SSL all right and returns values. But I'm still trying to figure out how to
>test and see if it's SSL 3.0 or not (I suspect not).

Well, that looks promising indeed...but I'm not seeing anything in there that is providing the client certificate, which is what is necessary for SSL 3.0. In CF8, it's provided with the ClientCert and ClientCertPassword attributes of the cfhttp tag. But as for how to test and know if this is working, you've got me stumped! I see nothing in the Authorize.Net settings, or anything whatsoever in the documentation that tells where to get the certificate, how to test it, etc.

---
Mary Jo Sminkey
CFWebstore, ColdFusion-based Ecommerce
http://www.cfwebstore.com


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319452
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

We have some legacy ecomm apps that still use cf 5.0 with authorize.net

will the move to cfmx 8 solve this new ssl 3.0 requirement issue by authorize.net . i have been trying hard to find if cfmx 8.0 supports ssl 3.0 with cfhttp and also what do i use for the cert and certpassword attributes for the tag, our apps use verisign,comodo and geotrust certs.
Thx.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319465
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

Mary Jo,

I'm confused.... SSL 3.0 does not necessarily need a client cert - does it?
The connection would still use the public key right?  Are you saying that
Auth.net is requiring you to specify the client cert as a part of the
handshake?

-Mark
 


Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com

-----Original Message-----
From: Mary Jo Sminkey [mailto:maryjos@...]
Sent: Tuesday, February 17, 2009 8:11 PM
To: cf-talk
Subject: Re: CFHTTP and SSL v3


>You should be able to bypass CFHTTP and use the java libs directly. I
>took a gander at the Java samples on the auth.net site for AIM
>integration and here's what I came up with. It seems to work fine on CF
>7 and It handles the SSL all right and returns values. But I'm still
>trying to figure out how to test and see if it's SSL 3.0 or not (I suspect
not).

Well, that looks promising indeed...but I'm not seeing anything in there
that is providing the client certificate, which is what is necessary for SSL
3.0. In CF8, it's provided with the ClientCert and ClientCertPassword
attributes of the cfhttp tag. But as for how to test and know if this is
working, you've got me stumped! I see nothing in the Authorize.Net settings,
or anything whatsoever in the documentation that tells where to get the
certificate, how to test it, etc.

---
Mary Jo Sminkey
CFWebstore, ColdFusion-based Ecommerce
http://www.cfwebstore.com




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319494
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

>I'm confused.... SSL 3.0 does not necessarily need a client cert - does it?
>The connection would still use the public key right?  Are you saying that
>Auth.net is requiring you to specify the client cert as a part of the
>handshake?

Mark, I checked with AuthNet and you're right, they are not requiring a client cert. So it looks like this will be a bit less of a concern, assuming that CFHTTP is using the same protocol as the underlying web server (most of which are going to be at least v3.0). It may however still be a problem on some older CF versions, I would expect CF5 might have problems with it. In corresponding with AuthNet, they did say that they will try to roll out the requirement on the test server first so we can check our sites and make sure they are still working, but I don't have a date from them yet on when they expect to be able to do that.

---
Mary Jo Sminkey
CFWebstore, ColdFusion-based Ecommerce
http://www.cfwebstore.com


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319510
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

Mary Jo,

I think it would be the underlying protocol of Java not the web server -
right? Does CF pass an HTTP request back through IIS or apache? I think it
accesses the stack using it's own internal libraries. I guess we wait till
they have a new test server ready eh?

-mark
 


Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com

-----Original Message-----
From: Mary Jo Sminkey [mailto:maryjos@...]
Sent: Wednesday, February 18, 2009 8:38 PM
To: cf-talk
Subject: Re: CFHTTP and SSL v3


>I'm confused.... SSL 3.0 does not necessarily need a client cert - does it?
>The connection would still use the public key right?  Are you saying
>that Auth.net is requiring you to specify the client cert as a part of
>the handshake?

Mark, I checked with AuthNet and you're right, they are not requiring a
client cert. So it looks like this will be a bit less of a concern, assuming
that CFHTTP is using the same protocol as the underlying web server (most of
which are going to be at least v3.0). It may however still be a problem on
some older CF versions, I would expect CF5 might have problems with it. In
corresponding with AuthNet, they did say that they will try to roll out the
requirement on the test server first so we can check our sites and make sure
they are still working, but I don't have a date from them yet on when they
expect to be able to do that.

---
Mary Jo Sminkey
CFWebstore, ColdFusion-based Ecommerce
http://www.cfwebstore.com




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319524
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

> I think it would be the underlying protocol of Java not the web server -
> right? Does CF pass an HTTP request back through IIS or apache? I think it
> accesses the stack using it's own internal libraries. I guess we wait till
> they have a new test server ready eh?

CF doesn't use the web server to send HTTP requests; it does this itself.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319529
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

>I think it would be the underlying protocol of Java not the web server -
>right?

That would have been my assumption as well, the support from AuthNet seemed to think otherwise, but I certainly don't trust their knowledge of CF and its inner workings. Which still brings me back to trying to determine exactly *which* versions of CF do support SSL v3.0 by default. Like you, I'm hoping they get the test server ready sooner rather than later so we can run some tests with different versions and see what works and what doesn't and go from there.


---
Mary Jo Sminkey
CFWebstore, ColdFusion-based Ecommerce
http://www.cfwebstore.com 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319530
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

Mary Jo,

Hmmm... You know the more I think of it the more I believe you should only
be concerned about CF 5. SSL 3.0 came out in 1996 and I think it's the
version that supports "chaining" certificates. I have certainly dealt with
cert chain issues in both CF 6 and CF 7 - so I'm of a mind to believe those
must be SSL 3.0 compliant.  Also, I think that 3.0 can respond to 2.0
requests... It's really about dictating the encryption standard that's used.
But perhaps Dave or someone can shed a bit more light on it.

-Mark

Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com

-----Original Message-----
From: Mary Jo Sminkey [mailto:maryjos@...]
Sent: Thursday, February 19, 2009 10:54 AM
To: cf-talk
Subject: Re: CFHTTP and SSL v3


>I think it would be the underlying protocol of Java not the web server
>- right?

That would have been my assumption as well, the support from AuthNet seemed
to think otherwise, but I certainly don't trust their knowledge of CF and
its inner workings. Which still brings me back to trying to determine
exactly *which* versions of CF do support SSL v3.0 by default. Like you, I'm
hoping they get the test server ready sooner rather than later so we can run
some tests with different versions and see what works and what doesn't and
go from there.


---
Mary Jo Sminkey
CFWebstore, ColdFusion-based Ecommerce
http://www.cfwebstore.com 



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319531
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

>Hmmm... You know the more I think of it the more I believe you should only
>be concerned about CF 5. SSL 3.0 came out in 1996 and I think it's the
>version that supports "chaining" certificates. I have certainly dealt with
>cert chain issues in both CF 6 and CF 7 - so I'm of a mind to believe those
>must be SSL 3.0 compliant.

From what we've been able to determine in some limited testing, I would have to agree with that. Someone on the Railo list did a little test that showed that CF7, CF8 and Railo all did a connection using a v3 SSL cipher so we're fairly sure that those servers at least will be okay.


---
Mary Jo Sminkey
CFWebstore, ColdFusion-based Ecommerce
http://www.cfwebstore.com 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319532
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

> That would have been my assumption as well, the support from AuthNet seemed to think
> otherwise, but I certainly don't trust their knowledge of CF and its inner workings. Which still
> brings me back to trying to determine exactly *which* versions of CF do support SSL v3.0 by
> default. Like you, I'm hoping they get the test server ready sooner rather than later so we can
> run some tests with different versions and see what works and what doesn't and go from there.

I think this is less a CF issue and more a JVM issue. It looks to me
like 1.4.2 supports SSL3/TLS1, so you should be ok with any version of
CF 6.x+ running on that.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319533
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

I got the same email from Authorize.net.  We are using CFMX7 and from what I have read it doesn't support ssl 3.0 via cfhttp. If anyone has a quick solution I'd appreciate it.  Likewise if I find one I'll let everyone know.

Thanks
Mike




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319684
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

Michael,

I had about concluded that 6 and 7 actually DO support 3.0. Can you tell me
what docs indicated otherwise?

-mark
 


Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com

-----Original Message-----
From: Michael Kotuba [mailto:michael.kotuba@...]
Sent: Monday, February 23, 2009 8:42 AM
To: cf-talk
Subject: Re: CFHTTP and SSL v3


I got the same email from Authorize.net.  We are using CFMX7 and from what I
have read it doesn't support ssl 3.0 via cfhttp. If anyone has a quick
solution I'd appreciate it.  Likewise if I find one I'll let everyone know.

Thanks
Mike






~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319685
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

I had read it in several blog postings but nothing definitive from Adobe.  I've done some more checking and it appears you are right about it working for CF7.  Now if only the authorize.net test site was up to date I could test my apps.

Cheers

Mike

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319687
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

FYI:

I did some testing and research (with some help :) and I posted an article
with my findings on this issue.

http://www.coldfusionmuse.com/index.cfm/2009/2/24/CF-SSL30-Authorize-net

-mk



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319761
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

I got an email a while ago from Authorize.net that they have set up the test server with ssl 2.0 disabled and only ssl 3.0 enabled. and they provided all the information.
To be sure i checked that using serversslsniffer and ssl 2.0 ciphers were disabled.
and For SSL 3.0 only 128 bit and above ciphers were supported.

So now i have tested one app that i have moved from cf5 to cf8 and it connected fine as expected. :)

Now is the strange thing : I tested another app that is in cf5 and is yet to be ported to cf 8.0.

Strangely that app also connected fine to the new SSL 3.0 Testing server.
This is going above my head now. Docs say cfhttp in cf 5 only supports up to 56 bit.
Going by that it should not have connected.
Both cf5 app and cf8 apps are on different servers and both have ssl 2.0 disabled anyways.
 Any ideas?? what going on here. Do i port the other cf5 app??

~Amit




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319837
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

Hmmm.... Very interesting...

CF 5 uses an ipswitch com or something to make HTTP connections ... Or is it
something native to windows through the stack?

-Mark


Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com

-----Original Message-----
From: Amit Talwar [mailto:talwar.amit@...]
Sent: Wednesday, February 25, 2009 3:53 PM
To: cf-talk
Subject: Re: CFHTTP and SSL v3


I got an email a while ago from Authorize.net that they have set up the test
server with ssl 2.0 disabled and only ssl 3.0 enabled. and they provided all
the information.
To be sure i checked that using serversslsniffer and ssl 2.0 ciphers were
disabled.
and For SSL 3.0 only 128 bit and above ciphers were supported.

So now i have tested one app that i have moved from cf5 to cf8 and it
connected fine as expected. :)

Now is the strange thing : I tested another app that is in cf5 and is yet to
be ported to cf 8.0.

Strangely that app also connected fine to the new SSL 3.0 Testing server.
This is going above my head now. Docs say cfhttp in cf 5 only supports up to
56 bit.
Going by that it should not have connected.
Both cf5 app and cf8 apps are on different servers and both have ssl 2.0
disabled anyways.
 Any ideas?? what going on here. Do i port the other cf5 app??

~Amit






~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319840
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4