Going to try to keep this as simple as possible, we use paypal as a gateway for payments and were notified that the webserver uses TLS 1.0 to goto the gateway and that needs to be upgraded to use TLS 1.2.
This is on a Ubuntu 14.04LTS server that I was running Railo on and figured just upgrading would do the trick, so I was able to upgrade to Lucee 4.5 following the how-to, but still getting the same error when connecting to the paypal gateway - “Your client is using TLS 1.0, which is very old, possibly susceptible to the BEAST attack, and doesn’t have the best cipher suites available on it. Additions like AES-GCM, and SHA256 to replace MD5-SHA-1 are unavailable to a TLS 1.0 client as well as many more modern cipher suites.”
I’m a bit lost as I don’t know if this is a java security thing (I tried a few changes to the java.security file, or perhaps a tomcat setting, but I appreciate all reads and suggestions as it’s not an incoming issue (which I would have found easy) but more an outbound one when cfhttp is used.
Thanks for the quick reply, I do keep reading that java seems to be the key, I have the following;
#java -version
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)
I am continuing to read as well, but appreciate the quick reply.
My developer made a test page that connects and one part of the test page has the following;
Java info:<br/>
<cfdump var=#Server.Java# />
and in that I see;
version string 1.7.0_67
So that is a BIG help as I know 1.8 should fix it, BUT not sure why the above version shows 1.8, so not sure where that is being called from, but getting closer!
Here is where I am confused as if java -version is showing the OS version, I don’t understand how to upgrade to java 8 if that is what is already there.
I thought the package libtomcat8-java was the magic one, but nope.
update-alternatives --config java
There is 1 choice for the alternative java (providing /usr/bin/java).
Selection Path Priority Status
0 /usr/lib/jvm/java-8-oracle/jre/bin/java 1081 auto mode
* 1 /usr/lib/jvm/java-8-oracle/jre/bin/java 1081 manual mode
Edit those to point to another Java installation that you want to use. Actually, if you just comment those lines out, it may default back to the default environment vars set in your OS.
I am running Lucee, version 4.5.5.006 final, sorry if I didn’t mention that. This is an amazon AWS EC2 machine, so did try to go from 4.5 to 5 and completely broke things so I resorted go to back to the image (I made images just in case!)
So I will be taking a look at both replies shortly and hopefully get that going!
The only difference is this was an old railo upgrade so the startup was /opt/railo/railo_ctl, but sure enough I commented those 2 lines out and the test script now shows string 1.8.0_131 as the version and paypal client test shows;
“Your client is using TLS 1.2, the most modern version of the encryption protocol. It gives you access to the fastest, most secure encryption possible on the web.”
I will look to move to 5.x in the near future, but what an amazing response in a community forum. I look forward to more Q&A chats, but thank you both for such quick help!
Using Lucee 5.1.3.18 and Oracle Java 1.8u131 on Windows , shows:
Your client is using TLS 1.2, the most modern version of the encryption protocol. It gives you access to the fastest, most secure encryption possible on the web.