Server and JRE are set to TLS 1.2 but Coldfusion 9 still trying to use TLS 1.0

Question

I'm not 100% sure what's going on however we have a Coldfusion 9 server that connects to a web service. the web service has made the changes to only allow connections via TLS 1.2. We thought we were ok because we set the server to only use TLS 1.2 and we set the JRE (1.7) to use tls 1.2. However in the Coldfusion Administrator -> Web services when I try to refresh the web service connection it still tries to connect via TLS 1.0 (confirmed using wireshark). Anyone that is well versed in coldfusion configuration able to point me in the right direction to understand why this is happening?

Thank you

Edit:

Answer 1

Very late answer, but you can't go wrong using cfx_http5. Better than cfhttp in every way.

Answer 2

Following Miguel-F's link and a few others, I discovered that CF 9 will ignore -Dhttps.protocols=TLSv1.2 for every version of JDK 7 until JDK 7u171 b31, but then JDK 7u181 enables TLSv1.2 by default (just like JDK 8).

The only hurdle is that any JDK past 7u80 is behind an Oracle paid support wall. I managed to find someone with access and it tested just fine using PayPal's TLS Test site:

<cfhttp url="https://tlstest.paypal.com/" result="test">

<cfdump var="#test#">

This returns a CFHTTP dump with PayPal_Connection_OK when a TLSv1.2 connection is used.

JDK 8u172 will also work with CF 9.0.2 w/ all hot fixes, but I'd rather not risk the regression testing jumping to the next major version.

Answer 3

Upgrade your JDK/JRE to use 1.8 and that will solve this problem.

For basic instructions, read my answer on this question:

How to add TLS 1.2 in cfhttp tag in ColdFusion 10

The CF9 server that I support is running on Server JRE 1.8u172.