Using Secure Sockets Layer (SSL) with CFHTTP

When using Secure Sockets Layer (SSL) to transmit secured transactions via CFHTTP, you need to be aware of limitations on its use caused by a bug in one of the components of Microsoft's InetSDK. The problem occurs on Windows NT and should not affect Windows 95/98 machines.

CFHTTP uses the InetSDK to conduct all HTTP and HTTPS transactions and relies on the WinInet DLL and Schannel DLL for its SSL implementation. The WinInet bug constrains storage of SSL certificate information to the user level. This means that WinInet does not interrogate the registry for certificate information if the client that loads the DLL is a service. As a result, a CFHTTP request to an https:// url, will fail if ColdFusion is running as a service.

While we strongly recommend that the ColdFusion Server be run as a service, a workaround for this SSL/WinInet problem is available. The workaround is to run ColdFusion as a desktop application when SSL is needed. In this way, WinInet will write to and read from the registry appropriately when negotiating certificate information.

Note To run ColdFusion as a desktop application:
  1. From the Windows NT Start menu in, select Run.
  2. Type the following (assuming that your installation of CF is in the default location): c:\cfusion\bin\cfserver -DESKTOP
  3. The ColdFusion icon should appear in the Windows Task Bar.

When running the ColdFusion server as a desktop application rather than as a service, keep the following in mind:

Note To determine whether the encryption key size conforms to export laws:
  1. Right mouse click on Schannel.dll.
  2. Select Properties.
  3. Click the Version tab.

    If the Description field reads "PCT / SSL Security Provider (Export Version)", a 40- bit key was used.