[SOLVED] Outbound TLS 1.0 disable - will upgrade fix this?

Going to try to keep this as simple as possible, we use paypal as a gateway for payments and were notified that the webserver uses TLS 1.0 to goto the gateway and that needs to be upgraded to use TLS 1.2.

This is on a Ubuntu 14.04LTS server that I was running Railo on and figured just upgrading would do the trick, so I was able to upgrade to Lucee 4.5 following the how-to, but still getting the same error when connecting to the paypal gateway - “Your client is using TLS 1.0, which is very old, possibly susceptible to the BEAST attack, and doesn’t have the best cipher suites available on it. Additions like AES-GCM, and SHA256 to replace MD5-SHA-1 are unavailable to a TLS 1.0 client as well as many more modern cipher suites.”

I’m a bit lost as I don’t know if this is a java security thing (I tried a few changes to the java.security file, or perhaps a tomcat setting, but I appreciate all reads and suggestions as it’s not an incoming issue (which I would have found easy) but more an outbound one when cfhttp is used.


What version of Java are you running?

Thanks for the quick reply, I do keep reading that java seems to be the key, I have the following;

#java -version
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

I am continuing to read as well, but appreciate the quick reply.

My developer made a test page that connects and one part of the test page has the following;

Java info:<br/>
    <cfdump var=#Server.Java# />

and in that I see;

version	string	1.7.0_67

So that is a BIG help as I know 1.8 should fix it, BUT not sure why the above version shows 1.8, so not sure where that is being called from, but getting closer!

java -version shows you the version that is installed as default on the OS.

That doesn’t mean necessarily that that’s the version that is running Lucee.


<cfdump var="#Server.java#">



Agree, as I did edit above, but that shows the following;

executionPath	  string	/opt/railo/tomcat/
version	string	1.7.0_67

So, it seems tomcat is using that 1.7 which I have read enough to see that is my issue.

So upgrading to Java 8 should resolve your issue?

Here is where I am confused as if java -version is showing the OS version, I don’t understand how to upgrade to java 8 if that is what is already there.

I thought the package libtomcat8-java was the magic one, but nope.

update-alternatives --config java

There is 1 choice for the alternative java (providing /usr/bin/java).

 Selection    Path                                     Priority   Status
  0            /usr/lib/jvm/java-8-oracle/jre/bin/java   1081      auto mode
* 1            /usr/lib/jvm/java-8-oracle/jre/bin/java   1081      manual mode

Find the script that launches the Railo service and edit it there.

You should really upgrade to Lucee though. Railo is no longer supported and does not receive any security updates nor support as far as I know.

On my Linux server which I installed Lucee on via the installer, I ran

nano /etc/init.d/lucee_ctl

And these lines are near the top:

JRE_HOME=/opt/lucee/jdk/jre; export JRE_HOME
JAVA_HOME=/opt/lucee/jdk; export JAVA_HOME

Edit those to point to another Java installation that you want to use. Actually, if you just comment those lines out, it may default back to the default environment vars set in your OS.

FYI: You only need JRE_HOME for Tomcat. It goes like this pseudo-code:

if (isDefined("JRE_HOME"))
  use JRE_HOME;
else if (isDefined("JAVA_HOME"))
  use JAVA_HOME/jre;
else throw exception;

I am running Lucee, version final, sorry if I didn’t mention that. This is an amazon AWS EC2 machine, so did try to go from 4.5 to 5 and completely broke things so I resorted go to back to the image (I made images just in case!)

So I will be taking a look at both replies shortly and hopefully get that going!

Stay tuned, and thanks.

The only difference is this was an old railo upgrade so the startup was /opt/railo/railo_ctl, but sure enough I commented those 2 lines out and the test script now shows string 1.8.0_131 as the version and paypal client test shows;

“Your client is using TLS 1.2, the most modern version of the encryption protocol. It gives you access to the fastest, most secure encryption possible on the web.”

I will look to move to 5.x in the near future, but what an amazing response in a community forum. I look forward to more Q&A chats, but thank you both for such quick help!

1 Like

You may also want to review this:

The following snippet:

http url="https://www.howsmyssl.com/" result="httpRes";

Using Lucee and Oracle Java 1.8u131 on Windows , shows:

Your client is using TLS 1.2, the most modern version of the encryption protocol. It gives you access to the fastest, most secure encryption possible on the web.