ColdFusion Muse

ColdFusion SFTP and FTPS Secure Connection Failure

Wil Genovese February 15, 2018 3:03 PM ColdFusion, Coldfusion Security Comments (4)

I have seen a lot more people asking questions about making SFTP or FTPS secure connections from ColdFusion using the <CFFTP> tag. They are trying to figure out why they cannot make a connection. Often the error is "Algorithm negotiation fail" or "Connection Error". People are posting their questions on many support forums including Adobes forums and their new ColdFusion Community Portal. This is a problem people are experiencing in ColdFusion 10 and ColdFusion 11.

In the last few years we've seen a huge shift in SSL/TLS security including the removal of older less secure protocols and forcing secure connections to use the newer stronger protocols with stronger TLS certificates and stronger encryption cyphers. As such older systems need to be upgraded to handle the newer security protocols. More recently plain old unsecure FTP portals have been the focus of change to SFTP or FTPS.

At CF Webtools we've run into this same problem several times with multiple clients. It was so much of a problem that I needed to spend some dedicated time to see how we could resolve this issue.

The first thing I discovered is that this issue is a known "bug" that has been reported to Adobe. It's been a long known issue and somehow the fix which is in ColdFusion 2016 has not been included in an update for earlier ColdFusion versions. However, Adobe has affirmed to me that this fix is scheduled for an upcoming update.

Because it was fixed in ColdFusion 2016 I was able to inspect the included jar files to see if the one that handles CFFTP or secure communications was newer than the one(s) in ColdFusion 11. What I found is that jsch-0.1.44m.jar had been replaced by jsch-0.1.52m.jar. The JSCH jar library is the library that handles Java Secure Channel communications. "JSch allows you to connect to an sshd server and use port forwarding, X11 forwarding, file transfer, etc., and you can integrate its functionality into your own Java programs."

After seeing this was upgraded I had an ah-ha moment and figured it was worth a try to copy this newer version into my ColdFusion 11 test server and see what happened. The new version is in ./ColdFusion2016/cfusion/lib folder. You can download the free ColdFusion 2016 Developer Edition and install it anywhere so you can get access to the updated jar file. Once you have the new jar file copy it into ColdFusion 11. The proper way to do this is to remove or rename the old jar file version in your ColdFusion11/cfusion (or instance name)/lib folder then copy the new jar file version into the same folder. Then start or restart ColdFusion 11. That's it. You're done. The bug is fixed and you're good to go with SFTP or FTPS using <CFFTP> in ColdFusion 11.

This is not an approved fix from Adobe. I do not know if there is some unknown issue that could be created by doing this. However, I do know that everyone I've talked to that has tried this has had their secure FTP issues resolved. Additionally I have not tried this 'fix' in ColdFusion 10. However, if you are running into this issue with ColdFusion 10 it's worth the minimal effort to give it a try.

If you need someone to make this change on your ColdFusion server then contact us, we can help. CF Webtools is here to fill your needs and solve your problems. If you have a perplexing issue with ColdFusion servers, code, connections, or if you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations @

  • Share:


  • John's Gravatar
    Posted By
    John | 3/2/18 9:12 AM
    Still facing sftp error on Please help sir how to resolve this error.
  • Wil Genovese's Gravatar
    Posted By
    Wil Genovese | 3/2/18 1:22 PM

    I need to know what version of OS, ColdFusion, and Java that you're running to help troubleshoot.

  • Wil Genovese's Gravatar
    Posted By
    Wil Genovese | 9/27/18 3:26 PM
    Update: I had a reason today to test this workaround on ColdFusion 10. It didn't work. I setup a FTP server on one of our servers with TLS 1.2 and setup the proper TLS certificate. I even imported the public certificate in the CF10 Java keystore. All methods failed to make a secure connection over TLS 1.2. This was with ColdFusion 10 fully patched on Java 1.8.0_181.
  • Bill Degnan's Gravatar
    Posted By
    Bill Degnan | 10/8/18 2:51 PM
    I have a Win 2016 server with CF 10. On the server I have a CF script whose job it is to upload little text files to another server when certain conditions exist. I recently migrated the site from a Win 2008 server, which worked perfectly. I was unsure if I should try CF 10 on a Win 2016 box but it seems to work other than issues with SFTP not always connecting. Usually it's ok, but annoying to not have near 100% success.

    Roughly ~15-40% of the attempts to use the SFTP routine fail to make the connection, the logs report:

    "An error occurred while establishing an sFTP connection

    Looking for a solution I found this page and I attempted the solution. I was able to install the JAR file from CF 2016 on another client's server. I am using jsch-0.1.54.jar. After restarting CF I found that the uploads (little text files) worked, but I need to watch the next few days' real world tests to judge this a complete success. At least you can use the JAR file on CF 10. So far no errors related to lack of connection. TLS 1.2 is the protocol.