Cfhttp and TLS ciphers

Henry_Gelstor · May 30, 2024, 12:07am

Hi- Doing some FedEx rating API requests with cfhttp… Everything currently works. FedEx is removing the following ciphers soon tho:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

How can I be sure I’m not using these and things will still work??

I’m using Lucee 5.3.5.96,
Apache Tomcat/8.5.14,
Java 1.8.0_131 (Oracle Corporation) 64bit,
Linux (3.10.0-1160.15.2.el7.x86_64) 64bit,
openssl version gives me OpenSSL 1.0.2k-fips

I think I’ve adjusted ciphers in the apache web server before, but this is using cfhttp, so lucee is the client/browser. I’m lost and not finding a way to check my end while their end is still accepting the ciphers in question. The https seems to be handled by tomcat and apache, but is that outbound?

Thanks!

TonyMonast · June 17, 2024, 2:05pm

Hi,

I’m not yet sure what Lucee uses under the hood to make the http request and if it’s equivalent to what I’m doing below, but for now I’m using the following code to see what Java uses for cipher suite :

<cfset targetUrl = "https://www.example.com">

<cftry>
    <!--- Create url object instance --->
    <cfset javaURL = createObject("java", "java.net.URL").init(JavaCast("string", targetUrl))>

    <!--- Open the connection --->
    <cfset connection = javaURL.openConnection()>

    <!--- Make sure the connection is HttpsURLConnection --->
    <cfif connection.getClass().getName() eq "sun.net.www.protocol.https.HttpsURLConnectionImpl" or connection.getClass().getName() eq "javax.net.ssl.HttpsURLConnection">
        <!--- Connect to the url --->
        <cfset connection.connect()>

        <!--- Get the Cipher suite --->
        <cfset cipherSuite = connection.getCipherSuite()>

        <!--- Get the certificates --->
        <cfset certs = connection.getServerCertificates()>

        <!--- Create the structure to hold the data --->
        <cfset sslInfo = structNew()>
        <cfset sslInfo.cipherSuite = cipherSuite>
        <cfset sslInfo.certificates = []>

        <cfloop array="#certs#" index="cert">
            <cfset certInfo = structNew()>
            <cfset certInfo.type = cert.getType()>
            <cfset certInfo.principal = cert.getSubjectDN().getName()>
            <cfset arrayAppend(sslInfo.certificates, certInfo)>
        </cfloop>

        <!--- Disconnect --->
        <cfset connection.disconnect()>

        <!--- Dump the data --->
        <cfdump var="#sslInfo#">
    <cfelse>
        <cfoutput>The connection is not an instance of HttpsURLConnection</cfoutput>
    </cfif>

<cfcatch type="any">
    <cfdump var="#cfcatch#">
</cfcatch>
</cftry>

Then you can go to Ciphersuite.Info. There is a search box at the top right that allows you to find the different suites. Be careful, the difference in the name is sometimes very subtle.

If anyone can also confirm that my method is reliable, it is welcome.