Due to vulnerabilities in the Transport Layer Security v1.0, Liferay has disabled TLS 1.0 for inbound secure connections on all systems and services on January 11, 2019.
Table of Contents
- Reason for the Changes
- Affected Liferay Portal and DXP Functionalities
- Affected Liferay Services and Websites
- Customer and Deployment Impact
- Mitigation Notes for Deployments
- Known Issue
- Note for Deployments - Inbound Traffic
- Related Resources
Moving to TLS 1.1 and higher will allow users to keep communications between Liferay and Liferay.com secure.
What TLS version Liferay systems are going to support:
We will support TLS 1.1 and above.
- Licensing (via order id):
- While this activation method is deprecated for Portal and DXP instances (though some deployments might still be using it), for Marketplace apps it's still in use and it requires to make outbound HTTPS connections to certain Liferay servers to validate the order.
- Please refer to the "Deployment impact" section below for more details about how these connections can be affected.
- To determine the activation method of your Liferay instance please read this article.
- releases.liferay.com (tentative)
- repository.liferay.com (tentative)
There are Liferay Portal and DXP functionalities and applications that make outbound connections to remote servers (including Liferay services and websites). Server administrators should review their deployment configurations and adjust them (if needed) to enable initiating secure connections using a higher TLS protocol version and to prevent falling back to TLS 1.0.
# Technical Information
- There is a Java system property available called
https.protocols, which controls the protocol version used by Java clients in certain cases (see details on Oracle's blog: Diagnosing TLS, SSL, and HTTPS).
- On Java 8, the default client-side TLS version is TLS 1.2 (TLS 1.1 is also supported and enabled).
- On Java 7, the default client-side TLS version is TLS 1.0, but TLS 1.1 and 1.2 are also supported, though must be enabled manually. As of Java 7u111, TLS 1.1 and 1.2 are also enabled by default, though this update is available for Oracle Customers only.
- On Java 6, the default and only client-side TLS version is TLS 1.0. As of Java 6u111, TLS 1.1 is also supported, though this update is available for Oracle Customers only.
As a result of these, Liferay Portal and DXP deployments are affected differently.
# Liferay DXP 7.0, 7.1, and 7.2
Liferay DXP requires Java 8, so these deployments have TLS 1.1 and 1.2 enabled by default and ensure that outbound connections can use higher secure protocol versions. To improve your server's security, Liferay recommends disabling TLS 1.0 for clients (outbound connections) using the system property mentioned above.
# Liferay Portal 6.1 and 6.2 EE
Liferay Portal 6.2 EE and 6.1 EE GA3 versions support Java 8, which has TLS 1.1 and TLS 1.2 enabled by default. As with Liferay DXP installations, Liferay recommends disabling TLS 1.0 for clients (outbound connections) using the system property mentioned above.
Liferay Portal 6.1 and 6.2 EE deployments running on Java 7 should consider moving to Java 8.
# When do you need the fix?
- Deployments running on Java 8 may want to apply this fix to disable TLS 1.0 for outbound HTTPS requests. TLS 1.1 and 1.2 are enabled by default in Java 8. → Recommended
- Deployments running on Java 7 requires this fix in order to enable TLS 1.1/1.2 (and also to disable TLS 1.0) for outbound HTTPS connections unless using Java 7u111. → Required
# How can you get the fix?
Users can access the fix for LPE-16580 through the following methods:
- Liferay DXP 7.2: No Fix Pack is needed as LPE-16580 was built into Liferay DXP 7.2.
- Liferay DXP 7.0, 7.1: Customers can download the latest fix pack (7.0 Fix Pack 64+ or 7.1 Fix Pack 4+) or open a Help Center ticket to request a hotfix.
- Liferay 6.2 EE, 6.1 EE GA3: Customers can download the latest fix pack (Portal-169+ or Portal-71+) or open a Help Center ticket to request a hotfix.
Liferay also recommends that server administrators disable support for TLS 1.0 and enable higher TLS protocols for inbound traffic on all Liferay Portal and DXP deployments. The actual settings to enable and configure TLS can vary on each deployment, so system administrators should consult with their Application Server’s documentation and apply the necessary changes.
- Liferay Knowledge Base: Determining the Activation Method of Your Liferay Instance
- Liferay Announcement (Nov 1, 2018): Disabling TLS 1.0 for Inbound Traffic on Liferay Services and Websites
- Liferay Customer Bulletin (Nov 29, 2018): Delayed until January 11, 2019
- Oracle Documentation: JDK 8 Security Enhancements
- Oracle Documentation: Java SE 7 Security Enhancements
- Oracle Blog: JDK 8 will use TLS 1.2 as default
- Oracle Blog: Diagnosing TLS, SSL, and HTTPS
- JDK Bug System: JDK-7093640 Enable client-side TLS 1.2 by default
- Oracle Documentation: Java SE Development Kit 7, Update 95 (JDK 7u95)
- IBM Support: How do I change the default SSL protocol my Java Client Application will use?