Issue with cfhttp and google Maps with TLSv1.0 disabled

I don’t -think- this is a Lucee specific issue, but I thought I’d raise it
in case anyone else has come across it and it also leads into a
question/bug with the Services > SSL Certs section of admin

I recently modified my Win2012r2 server to stop using TLSv1.0 for PCI
compliance. I also reinstalled Lucee 4.5.1.023 with the installer so I have
Tomcat8 running now too. All went well and my scan passed with flying
colours, however…

My Store Finder code which uses cfhttp to call https://maps.googleapis.com
is now failing with the good old “Connection Failure”. Now I know from
past, painful experience that this is usually due to issues with certstore.

When I connect via a browser (on the server) is see that the connection is
using TLS_ECDHE_RSA_WITH_AES128_GCM_SHA256 128bit TLSv1.2 So it looks like
TLv1.1 & 1.2 should be ok.

I installed the https://maps.googleapis.com cert via Services > SSL Certs
(I think…there’s no indication that it worked but no error either) I
restarted the Lucee service but doesn’t seem to have helped.

So, my question. *Is there a reason that Lucee/Java would be having issues
with TLSv1.0 disabled? *

I’m going to try installing the cert using keytool & restart just in case
there was an issue installing it from the admin panel.

The bug bit is this

If you click list or install without a host you get the popup error
“missing value for text input field “host””. When you dismiss that, you
then are presented with a “please wait” screen which never completes. Only
a reload of the page will clear it.

There also doesn’t seem to be any indication that a cert has been installed.

I’ll report it on JIRA.

ah…looks like it may be more due to issues with the *.googleapis.com and
the fresh install of lucee/tomcat8 than the TLS issue (which makes more
sense)

https://groups.google.com/forum/#!topic/lucee/2u3LCgiujgs

DL-ing the referenced jars now.

Answer is that some apache Tomcat jar files need to be updated to deal with
wildcard SSL certificates.

DL from

http://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.2
http://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5
http://mvnrepository.com/artifact/org.apache.httpcomponents/httpmime/4.5

rename the files to

apache-commons-httpclient.jar
apache-commons-httpcore.jar
apache-commons-httpmime.jar files.

stop the Lucee service.

copy the files (and overwrite existing) to /opt/lucee/lib for *nix,
c:\lucee\lib for win.

start the lucee service.

Maps (or any other googleapi based service) should be working again with
cfhttp

/opt/lucee/lib. You’re talking about the apache-commons-httpclient.jar,
apache-commons-httpcore.jar, and apache-commons-httpmime.jar filesOn Monday, September 14, 2015 at 10:40:11 AM UTC-6, Jay B wrote:

ah…looks like it may be more due to issues with the *.googleapis.com
and the fresh install of lucee/tomcat8 than the TLS issue (which makes more
sense)

https://groups.google.com/forum/#!topic/lucee/2u3LCgiujgs

DL-ing the referenced jars now.