Read on for more details.

[....Continue Reading....]

Folks who are members of the Online ColdFusion Meetup that I run will already have gotten notification about this, but those who are not:

[....Continue Reading....]

ColdFusion at 25: not the kid most have stuck in their minds

As ColdFusion turns 26 next month, many seem stuck remembering it only as the "teen" they knew or even the "child", when instead it's grown up to be a capable "adult", impressive in many ways, and even more so recently. In this session, we'll look back at how CF has indeed evolved into a very capable platform, with quite modern features that seem to surprise many--including people working with it currently. If you struggle "finding CF people" or "getting buy-in", perhaps these observations could help you with both challenges. If nothing else, they're things designed simply to help you get your job done, while keeping up with modern practices.

We'll start with many modern coding techniques--which will be familiar to those using more "modern" languages but that many don't realize CF supports, and may have for years. We'll then look at ways that things such as CF installation/deployment, configuration/administration, monitoring, security, and more have improved over the years. And we'll look not only at CF itself but the community surrounding it, ranging from resources for help and learning to tools and services that others have created, making CF a far more complete ecosystem than most give it credit. Put another way: it's not your father's CF!

I look forward to presenting this topic and hope you'll come check it out.

For most, you should read on, especially about an important change regarding TLS support (and calling out to servers not yet running TLS 1.2 or above). I cover that and other important topics:

• What's in the JVM update, do you need to update to it?
• A key change in this Java update: calls out to TLS 1.1 or 1.0 no longer allowed, by default
• Re-enabling support for calling out to old TLS versions
• Groundhog day: you'll need do make this java.security file change on any later JVM updates
• Should you update to the new JVM version?
• The importance of testing such updates/changes
• More questions you may surely have, and finding answers to them
• Obtaining the updated Java installers

[....Continue Reading....]

Some good news is that ColdFusion offers simple ways/variables that can show you each of these, via the admin or via CFML code. In this post, I discuss both approaches, including a simple single variable which works in CF2018 and above, a variation for those on CF2016 and earlier, as well as variations for Lucee.

[....Continue Reading....]

The recent release of CF2021 is a great sign for the continued vitality of CF, but this looming deadline is a reminder that as the years roll on, we not only get new versions but we say good-bye to old ones.

Wondering what you can do? or when CF2018 or CF2021 support ends? And what's the difference between "core" and paid Adobe support plans? For more on these, as well as official Adobe documentation that discusses such things, read on.

[Update: CF2016 users got a "reprieve" of sorts, when Adobe released updates to CF2021 and 2018 in March 2021, and they also offered the final update to CF2016, update 17, especially because it address a security vulnerability. Sadly, some of the changes in the update--not related to the security fix--were "breaking" changes. For more on that update, see the Adobe blog post from March 2021.)

[....Continue Reading....]

Note: This blog post is from 2020. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

The TLDR is this: If you create (or are given) a CF "CAR" (ColdFusion ARchive) file, you should treat that as a file that contains passwords, as technically it will, if what was exported into it was in fact any CF Admin setting which holds a password (there are several). No, the passwords are not in plain text within the CAR (which is just a zip). But the info needed to decrypt the passwords is in that file, and the CF Admin INTO WHICH such a CAR is imported will now have those passwords enabled within that CF Admin. Perhaps more dismaying, a savvy coder could easily use that info to convert the "encrypted" passwords into plain text in a single line of code. So one SHOULD indeed take care to secure such CAR files (if not delete them after use).

Do I have your attention now? Just a bit more tldr to preface the post...

Is the concern really unique to CAR files alone? And is deleting the CAR files the only way to "secure" them? No, but a difference is that CAR files may be passed around in a way that other "sensitive" CF files would not be. Indeed, what about the process of simply transporting them from one server to another? Should you be as concerned about that? And what if you don't WANT to delete them because they hold the CF Admin settings of record for an old CF instance you are removing? Should you even be concerned that a colleague also accessing your CF Admin might now use the info identified here to try to obtain a CAR file and use it in ways they should not? And what can you do to limit that? Finally, what about other tools that can save/transfer admin settings, like CFConfig in commandbox?

If you're interested in what's up (and if you or anyone on your server uses the CF Archive mechanism at all, you should be), then do read on. Same if you are not aware of what CAR files are used for, as I will explain.

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

I cover:

• Knowing when a connector update is needed
• How to apply the connector update, via gui or commandline
• What updating the web server connector actually does

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

[....Continue Reading....]

Note: This blog post is from 2018. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

But here's some good news: Amazon has recently released a new free JVM (java virtual machine) implementation based on the OpenJDK specification, called Corretto. In this post, I want to share some news about it. (Off the bat, let me tell my friends on any Linux flavor other than Amazon Linux 2, this is not yet available to you. For now it is only available for Amazon Linux 2 as well as Windows, MacOS, and as a docker image. Other Linux flavors are due in Q1 2019.)

For much more, read on.

Update in Jan 2019: This is no longer an option for CF folks to consider, as Adobe announced both that they have licensed Oracle Java for production use by those using CF, and they clarified that they will NOT be adding support for any OpenJDK implementations. I will leave this post and the rest, for non-CF users and for posterity.

[....Continue Reading....]