Cold Fusion Shopping Cart TLS Connectivity Issues
Question asked by Bruce Barnes - 11/27/2015 at 11:11 AM
Answered
Happy Thanksgiving, Team:
 
Hoping everyone had a wonderful Thanksgiving Day and your celebrations included family and friends - no matter what your definition of family might be.
 
Hoping someone might be able to help me with the following situation:
 
We have a new customer, a major pet supply wholesaler, out of the West Coast, with whom we are experiencing difficulties making TLS encrypted connections to SmarterMail to send e-mail confirmations from their custom CF ordering system.
 
OUR END:  We are running SmarterMail Enterprise 14.4.5802.27097 - SB - a special build.
 
We have ZERO issues with any other customers: 
  • no problems with TLS connections
  • no problems with NON-TLS connections
The customer's MAIL services in CF are setup as follows:
 
COLDFUSION 10
Latest Patch: ColdFusion 10 Mandatory Update (JAR, 4.9MB)  - dated 21 November, 2015
 
SMTP SERVER: securemail.chicagonettech.com
ENCRYPTION: TLS
PORT: 587
 
AUTHENTICATION: via a valid username (user@kingwholesale.com) and password, known to be properly working and used by their order processing department.
 
Their CF server / website is properly configured for SSL/TLS, with SSL 1.0, SSL 2.0, and SSL 3.0 disabled to make them CISP compliant - graphic below, with complete report at: https://www.ssllabs.com/ssltest/analyze.html?d=kingwholesale.com
 
Configuration
Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites at the end)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 521 bits (eq. 15360 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 521 bits (eq. 15360 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 521 bits (eq. 15360 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 521 bits (eq. 15360 bits RSA)   FS 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
 
When a connection is made, from the customer's CF shopping cart, I get the following error:

 
[2015.11.27] 11:23:13 [76.12.169.169][48459661] rsp: 220 securemail.chicagonettech.com  Fri, 27 Nov 2015 17:23:13 +0000 UTC | SmarterMail Enterprise 14.4.5802.27097 - SB
[2015.11.27] 11:23:13 [76.12.169.169][48459661] connected at 11/27/2015 11:23:13 AM
[2015.11.27] 11:23:13 [76.12.169.169][48459661] IP in whitelist
[2015.11.27] 11:23:13 [76.12.169.169][48459661] IP in authentication bypass
[2015.11.27] 11:23:13 [76.12.169.169][48459661] cmd: EHLO kwps
[2015.11.27] 11:23:13 [76.12.169.169][48459661] rsp: 250-securemail.chicagonettech.com Hello [76.12.169.169]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.11.27] 11:23:13 [76.12.169.169][48459661] cmd: STARTTLS
[2015.11.27] 11:23:13 [76.12.169.169][48459661] rsp: 220 Start TLS negotiation
[2015.11.27] 11:23:14 [76.12.169.169][48459661] Exception negotiating TLS session: System.NullReferenceException: Object reference not set to an instance of an object.
[2015.11.27] 11:23:14 [76.12.169.169][48459661] disconnected at 11/27/2015 11:23:14 AM
[2015.11.27] 11:24:59 [76.12.169.169][25513487] rsp: 220 securemail.chicagonettech.com  Fri, 27 Nov 2015 17:24:59 +0000 UTC | SmarterMail Enterprise 14.4.5802.27097 - SB
[2015.11.27] 11:24:59 [76.12.169.169][25513487] connected at 11/27/2015 11:24:59 AM
[2015.11.27] 11:24:59 [76.12.169.169][25513487] IP in whitelist
[2015.11.27] 11:24:59 [76.12.169.169][25513487] IP in authentication bypass
[2015.11.27] 11:24:59 [76.12.169.169][25513487] cmd: EHLO kwps
[2015.11.27] 11:24:59 [76.12.169.169][25513487] rsp: 250-securemail.chicagonettech.com Hello [76.12.169.169]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.11.27] 11:24:59 [76.12.169.169][25513487] cmd: STARTTLS
[2015.11.27] 11:24:59 [76.12.169.169][25513487] rsp: 220 Start TLS negotiation
[2015.11.27] 11:24:59 [76.12.169.169][25513487] Exception negotiating TLS session: System.NullReferenceException: Object reference not set to an instance of an object.
[2015.11.27] 11:24:59 [76.12.169.169][25513487] disconnected at 11/27/2015 11:24:59 AM
[2015.11.27] 11:29:44 [76.12.169.169][48320462] rsp: 220 securemail.chicagonettech.com  Fri, 27 Nov 2015 17:29:44 +0000 UTC | SmarterMail Enterprise 14.4.5802.27097 - SB
[2015.11.27] 11:29:44 [76.12.169.169][48320462] connected at 11/27/2015 11:29:44 AM
[2015.11.27] 11:29:44 [76.12.169.169][48320462] cmd: EHLO kwps
[2015.11.27] 11:29:44 [76.12.169.169][48320462] rsp: 250-securemail.chicagonettech.com Hello [76.12.169.169]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.11.27] 11:29:44 [76.12.169.169][48320462] cmd: STARTTLS
[2015.11.27] 11:29:44 [76.12.169.169][48320462] rsp: 220 Start TLS negotiation
[2015.11.27] 11:29:45 [76.12.169.169][48320462] Exception negotiating TLS session: System.NullReferenceException: Object reference not set to an instance of an object.
[2015.11.27] 11:29:45 [76.12.169.169][48320462] disconnected at 11/27/2015 11:29:45 AM
 
I even went so far as to WHITELIST the IP and server, and still got the following error:
 
[2015.11.27] 11:19:24 [76.12.169.169][15820431] rsp: 220 securemail.chicagonettech.com  Fri, 27 Nov 2015 17:19:24 +0000 UTC | SmarterMail Enterprise 14.4.5802.27097 - SB
[2015.11.27] 11:19:24 [76.12.169.169][15820431] connected at 11/27/2015 11:19:24 AM
[2015.11.27] 11:19:24 [76.12.169.169][15820431] IP in whitelist
[2015.11.27] 11:19:24 [76.12.169.169][15820431] IP in authentication bypass
[2015.11.27] 11:19:25 [76.12.169.169][15820431] cmd:
[2015.11.27] 11:19:25 [76.12.169.169][15820431] rsp: 500 command unrecognized
[2015.11.27] 11:19:25 [76.12.169.169][15820431] cmd:
[2015.11.27] 11:19:25 [76.12.169.169][15820431] rsp: 500 command unrecognized
[2015.11.27] 11:19:25 [76.12.169.169][15820431] cmd:
[2015.11.27] 11:19:25 [76.12.169.169][15820431] rsp: 500 command unrecognized
[2015.11.27] 11:19:26 [76.12.169.169][15820431] cmd:
[2015.11.27] 11:19:26 [76.12.169.169][15820431] Closing transmission channel: too many bad commands
[2015.11.27] 11:19:26 [76.12.169.169][15820431] rsp: 421 Too many bad commands, closing transmission channel
 
In as much as our contracts with our government agencies and hospitals prohibit the whitelisting of any client's IP address or e-mail, I removed the whitelisting immediately after the tests were completed.
 
Thanks, in advance, for any assistance you might be able to provide regarding this frustrating matter!
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

2 Replies

Reply to Thread
0
Emmet McGovern Replied
Marked As Answer
They need to import the CA Root into their Coldfusion Administrator if they are on an older JVM.  They should have a java socket error in their coldfusion mail log files.  JVM updates don't happen on the updater level, only on version releases.
0
Bruce Barnes Replied
Emmet:
 
Thanks for getting back to me regarding this issue.   We figured that out after close to 100 hours of research over the past 7 days.
 
We sent them the appropriate COMODO certificates.  Here's what we have instructed them to do:
 

In order to make the VPS work with SECUREMAIL.CHICAGONETTECH.COM, you will need to do the following:

 

You will also need to know your JAVA KEYSTORE PASSWORD to do this.

Import MY Comodo certs into YOUR Java Store - for the version they are using (You can run multiple versions of Java)  - they are attached as .CRT and .TXT files. 

 

If the .CRT files are blocked, then just download and RENAME the .TXT to .CRT files.

 

here are some instructions which will help you accomplish this: https://www.instantssl.com/ssl-certificate-support/cert_installation/ssl-certificate-java.html

 

Here are the commands you will  need to do this:  your path will probably be different from that shown:

 

keytool -import -trustcacerts -file "C:\cert\COMODORSAAddTrustCA.crt" -keystore "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts"

 

keytool -import -trustcacerts -alias INTER -file "C:\cert\COMODORSADomainValidationSecureServerCA.crt" -keystore "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts"

 

Remember to REBOOT the server after the import.

 

Once that is done, I will have to go in to the VB console, reconfigure the TLS, test and validate the settings.  Once that's done, the order confirmations should begin to work.

 

 

 

 

 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread