May 16, 2018
USPS Shipping API Ending TLS 1.1 and TLS 1.0 Support, is your ColdFusion Server Ready?
Comments
(6)
May 16, 2018
USPS Shipping API Ending TLS 1.1 and TLS 1.0 Support, is your ColdFusion Server Ready?
Newbie 12 posts
Followers: 7 people
(6)

At CF Webtools we recently went through a round of server upgrades to handle the Authorize.net ending support for older TLS versions. Now USPS, United State Postal Service, is doing the same thing with their Shipping APIs. This is going to be happening for all API’s and most likely all this year as PCI requirements for ending support for TLS 1.1 and older at the end of June 2018. This is according to the PCI Security Standards Council.

USPS will be turning off support for TLS 1.1 and older for testing. In advance of the changes to production, TLS version 1.0 and 1.1 support will be discontinued in the lower Web Tools environments and available for testing on 5/22/18: https://stg-secure.shippingapis.com/shippingapi.dll): 06/11/18.

This message explains some security improvements planned for our services. Effective 06/22/18, Web Tools will discontinue support of Transport Layer Security (TLS) version 1.0 and 1.1 for securing connections to our HTTPS APIs through the following URL: https://stg-secure.shippingapis.com/shippingapi.dll. This includes, but is not limited to, all shipping label and package pickup APIs. After this change, integrations leveraging TLS version 1.0 and 1.1 will fail when attempting to access the APIs.

You are receiving this message because the Web Tools UserID associated with your email address has made HTTPS requests over the past year. It is possible that no changes are necessary to retain Web Tools services and benefit from the improvements. Please review the entire message carefully and share with your web developer, software vendor, or IT service provider to determine if your use of the Web Tools APIs will be affected. If you have already updated your security certificates please disregard this message. If you are not sure if any changes are necessary, please ask your IT service provider.

In advance of the changes to production, TLS version 1.0 and 1.1 support will be discontinued in the lower Web Tools environments and available for testing on 5/22/18: https://stg-secure.shippingapis.com/shippingapi.dll): 06/11/18.

Further background: Security research published in recent years demonstrated that TLS version 1.0 and 1.1 contained weaknesses that limited its ability to protect and secure communications. These weaknesses have been addressed in the TLS 1.2 version. Major browser software vendors have been supporting TLS 1.2 for some time. Consistent with our priority to protect USPS Web Tools customers, Web Tools will only support versions of the more modern TLS 1.2 as of the effective date noted above.

Contact us at WebTools@usps.gov with any questions or concerns.

This means that if you are using older methods to make calls to USPS that are not capable of making TLS 1.2 connections then you will NOT be able to process Shipping API transactions.

This affects ALL ColdFusion versions 9.0.2 and older! This also affects ColdFusion 10 Update 17 and older. If your server is running any of these older versions of ColdFusion and your server is processing Shipping API transactions with USPS then this advisory applies to your server.

Mitigation

Getting compliant depends on age of your server operating system. There are three main ways to get your server to handle TLS 1.2.

  1. If you’re running on Windows Server 2008 Standard (not R2) or older then the only solution is to migrate to a newer server. This can be challenging and time consuming. It’s best to start planning now if a plan isn’t already in place and being acted upon.
  2. If your server is running ColdFusion 10 and newer on Windows 2008 or newer then the solution is most likely very simple. In most cases you’ll need to install the ColdFusion patches and upgrade to Java 1.8.0_nn.
  3. There is a solution for the in between systems running ColdFusion 9 and older on Windows 2008 R2. This does require using a third party extension to ColdFusion and some refactoring of your code to call the API.
  4. There are sure to be outlier cases that will require either migration or patching depending on the exact combination of operating system, ColdFusion version and Java version.

CF Webtools has been successfully mitigating this issue for clients servers for the past couple years and we are very experienced in resolving these security related issues. In a previous blog post I tested which TLS levels were supported by various ColdFusion versions on various Java versions and produced an easy to read chart.

If your ColdFusion server is affected by this or if you do not know if your ColdFusion server is affected by this then please contact us (much) sooner than later. Our operations group is standing by 24/7 – give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

6 Comments
2018-05-16 14:16:00
2018-05-16 14:16:00

Netsuite just turned off sub-1.2 as well.

Like
()
(1)
>
Mark.Gregory
's comment
2018-05-17 18:20:42
2018-05-17 18:20:42
>
Mark.Gregory
's comment

Everyone that wants/needs to be PCI compliant will be disable older TLS and SSL. It’s a TLS 1.2+ world!

Like
()
2018-05-10 16:08:15
2018-05-10 16:08:15

Hey, Wil, good stuff. One problem: you refer to a blog post where you said you had a table of SSL/TLS versions supported by CF, but the link (the href) is currently empty. Did you mean this post:

https://www.coldfusionmuse.com/index.cfm/2014/12/8/colfusion-jvm-versions-sslv3-tls

Note that the same issue is true on the copy of this blog post on your site, also, so you’ll want to fix it in both places.

Finally, I just added a pointer to this post in a blog post of my own I just made today, on the question of CF support of Java 9, 10, or 11. More at http://www.carehart.org/blog/client/index.cfm/2018/5/9/on_coldfusion_and_its_support_for_Java_9_10_and_11.

Like
()
(1)
>
Charlie Arehart
's comment
2018-05-18 20:39:30
2018-05-18 20:39:30
>
Charlie Arehart
's comment

Thanks – fixed

Like
()
2018-05-10 10:31:38
2018-05-10 10:31:38

Linux is fine, I assume as you don’t mention it.

Like
()
(1)
>
ChivertonT
's comment
2018-05-10 17:03:35
2018-05-10 17:03:35
>
ChivertonT
's comment

Not really. Older Linux versions that are not updated may not work with TLS 1.2. Additionally Java 1.7 with any ColdFusion version is not going to work with TLS 1.2.

Like
()
Add Comment