Due to vulnerabilities in the Transport Layer Security v1.0, Liferay has disabled TLS 1.0 for inbound secure connections on all systems and services on January 11, 2019.
Table of Contents
- Reason for the Changes
- Affected Liferay Portal and DXP Functionalities
- Affected Liferay Services and Websites
- Customer and Deployment Impact
- Mitigation Notes for Deployments
- Known Issue
- Note for Deployments - Inbound Traffic
- Related Resources
Resolution
1. Reason for the Changes
The vulnerabilities in TLS 1.0 (and SSL protocols) include POODLE and DROWN. Due to these security risks, Liferay decided to disable TLS 1.0, as many other companies have done.
Moving to TLS 1.1 and higher will allow users to keep communications between Liferay and Liferay.com secure.
What TLS version Liferay systems are going to support:
We will support TLS 1.1 and above.
2. Affected Liferay Portal and DXP Functionalities
- Marketplace
- Licensing (via order id):
- While this activation method is deprecated for Portal and DXP instances (though some deployments might still be using it), for Marketplace apps it's still in use and it requires to make outbound HTTPS connections to certain Liferay servers to validate the order.
- Please refer to the "Deployment impact" section below for more details about how these connections can be affected.
- To determine the activation method of your Liferay instance please read this article.
3. Affected Liferay Services and Websites
- api.liferay.com
- cdn.lfrs.sl
- community.liferay.com
- customer.liferay.com
- demo.liferay.com
- dev.liferay.com
- downloads.liferay.com
- forms.liferay.com
- learn.liferay.com
- liferay.com
- liferay.com.br
- liferay.com.cn
- liferay.de
- liferay.es
- liferay.org
- marketplace.liferay.com
- mp.liferay.com
- origin.lfrs.sl
- partner.liferay.com
- services.liferay.com
- support.liferay.com
- translate.liferay.com
- www.liferay.com
- releases.liferay.com (tentative)
- repository.liferay.com (tentative)
4. Customer and Deployment Impact
There are Liferay Portal and DXP functionalities and applications that make outbound connections to remote servers (including Liferay services and websites). Server administrators should review their deployment configurations and adjust them (if needed) to enable initiating secure connections using a higher TLS protocol version and to prevent falling back to TLS 1.0.
5. Mitigation Notes for Deployments
# Technical Information
- There is a Java system property available called
https.protocols, which controls the protocol version used by Java clients in certain cases (see details on Oracle's blog: Diagnosing TLS, SSL, and HTTPS). - On Java 8, the default client-side TLS version is TLS 1.2 (TLS 1.1 is also supported and enabled).
- On Java 7, the default client-side TLS version is TLS 1.0, but TLS 1.1 and 1.2 are also supported, though must be enabled manually. As of Java 7u111, TLS 1.1 and 1.2 are also enabled by default, though this update is available for Oracle Customers only.
- On Java 6, the default and only client-side TLS version is TLS 1.0. As of Java 6u111, TLS 1.1 is also supported, though this update is available for Oracle Customers only.
As a result of these, Liferay Portal and DXP deployments are affected differently.
# Liferay DXP 7.0, 7.1, and 7.2
Liferay DXP requires Java 8, so these deployments have TLS 1.1 and 1.2 enabled by default and ensure that outbound connections can use higher secure protocol versions. To improve your server's security, Liferay recommends disabling TLS 1.0 for clients (outbound connections) using the system property mentioned above.
# Liferay Portal 6.1 and 6.2 EE
Liferay Portal 6.2 EE and 6.1 EE GA3 versions support Java 8, which has TLS 1.1 and TLS 1.2 enabled by default. As with Liferay DXP installations, Liferay recommends disabling TLS 1.0 for clients (outbound connections) using the system property mentioned above.
Liferay Portal 6.1 and 6.2 EE deployments running on Java 7 should consider moving to Java 8.
6. Known Issue
There is a known issue which prevents manually configuring the https.protocols system property to control the allowed TLS protocols for outbound HTTPS connections.
# When do you need the fix?
- Deployments running on Java 8 may want to apply this fix to disable TLS 1.0 for outbound HTTPS requests. TLS 1.1 and 1.2 are enabled by default in Java 8. → Recommended
- Deployments running on Java 7 requires this fix in order to enable TLS 1.1/1.2 (and also to disable TLS 1.0) for outbound HTTPS connections unless using Java 7u111. → Required
# How can you get the fix?
Users can access the fix for LPE-16580 through the following methods:
- Liferay DXP 7.2: No Fix Pack is needed as LPE-16580 was built into Liferay DXP 7.2.
- Liferay DXP 7.0, 7.1: Customers can download the latest fix pack (7.0 Fix Pack 64+ or 7.1 Fix Pack 4+) or open a Help Center ticket to request a hotfix.
- Liferay 6.2 EE, 6.1 EE GA3: Customers can download the latest fix pack (Portal-169+ or Portal-71+) or open a Help Center ticket to request a hotfix.
7. Note for Deployments - Inbound Traffic
Liferay also recommends that server administrators disable support for TLS 1.0 and enable higher TLS protocols for inbound traffic on all Liferay Portal and DXP deployments. The actual settings to enable and configure TLS can vary on each deployment, so system administrators should consult with their Application Server’s documentation and apply the necessary changes.
8. Related Resources
- Liferay Knowledge Base: Activating Liferay DXP
- Liferay Announcement (Nov 1, 2018): Disabling TLS 1.0 for Inbound Traffic on Liferay Services and Websites
- Oracle Documentation: JDK 8 Security Enhancements
- Oracle Documentation: Java SE 7 Security Enhancements
- Oracle Blog: JDK 8 will use TLS 1.2 as default
- Oracle Blog: Diagnosing TLS, SSL, and HTTPS
- JDK Bug System: JDK-7093640 Enable client-side TLS 1.2 by default
- Oracle Documentation: Java SE Development Kit 7, Update 95 (JDK 7u95)
- IBM Support: How do I change the default SSL protocol my Java Client Application will use?