Update: This has been moved to January 11, 2019.

Reason for the changes

The vulnerabilities in TLS 1.0 (and SSL protocols) include POODLE and DROWN. Due to these security risks, Liferay decided to disable TLS 1.0, as many other companies have done.

Moving to TLS 1.1 and higher will allow users to keep communications between Liferay and Liferay.com secure.

What TLS version Liferay systems are going to support

We will support TLS 1.1 and above.

Affected Liferay Services and Websites

Liferay Portal CE and Liferay DXP Functionality

• Marketplace

Liferay DXP Functionality

• Licensing (via order id, EE only)

Liferay Websites

• api.liferay.com

• cdn.lfrs.sl

• community.liferay.com

• customer.liferay.com

• demo.liferay.com

• dev.liferay.com

• downloads.liferay.com

• forms.liferay.com

• learn.liferay.com

• liferay.com

• liferay.com.br

• liferay.com.cn

• liferay.de

• liferay.es

• liferay.org

• marketplace.liferay.com

• mp.liferay.com

• origin.lfrs.sl

• partner.liferay.com

• services.liferay.com

• support.liferay.com

• translate.liferay.com

• www.liferay.com

• releases.liferay.com (tentative)

• repository.liferay.com (tentative)

Deployment Impact

There are Liferay Portal CE/EE and Liferay DXP functionalities and applications that make outbound connections to remote servers (including Liferay services and websites). Server administrators should review their deployment configurations and adjust them (if needed) to enable initiating secure connections using a higher TLS protocol version and to prevent falling back to TLS 1.0.

Mitigation Notes for Deployments

Technical Information

• On Java 8, the default client-side TLS version is TLS 1.2 (TLS 1.1 is also supported and enabled). Java 8 also introduced a new system property called jdk.tls.client.protocols to configure which protocols are enabled.

• On Java 7, the default client-side TLS version is TLS 1.0, but TLS 1.1 and 1.2 are also supported, though must be enabled manually. As of Java 7u111, TLS 1.2 is also enabled by default, though this update is available for Oracle Subscribers only.

  • The system property, jdk.tls.client.protocols, is available as of Java 7u95 (for Oracle Subscribers only).

• On Java 6, the default and only client-side TLS version is TLS 1.0. As of Java 6u111, TLS 1.1 is also supported, though this update is available for Oracle Subscribers only.

• There is another Java system property available called https.protocols, which controls the protocol version used by Java clients in certain cases (see details on Oracle's blog: Diagnosing TLS, SSL, and HTTPS).

As a result of these, Liferay Portal CE and DXP deployments are affected differently.

Liferay Portal CE/DXP 7.0 and 7.1

Liferay Portal CE 7.0 and Liferay DXP 7.0 and above require Java 8, so these deployments have TLS 1.2 enabled by default and ensure that outbound connections can use higher secure protocol versions. To improve your server's security, Liferay recommends disabling TLS 1.0 for clients (outbound connections) using the system properties mentioned above.

Liferay Portal CE/EE 6.1 and 6.2

Liferay Portal 6.2 CE/EE and 6.1 EE GA3 versions support Java 8, which has TLS 1.2 enabled by default. Liferay Portal CE 6.1 does not support Java 8.   Liferay recommends disabling TLS 1.0 for clients (outbound connections) using the system properties mentioned above.

Liferay Portal EE 6.1 and Liferay Portal CE/EE 6.2 deployments running on Java 7 should consider moving to Java 8. Liferay Portal 6.1 CE deployments should consider upgrading to a newer version with Java 8 support.  There is a known issue that prevents enabling TLS 1.1/1.2 manually using the system properties mentioned earlier.

Note for Deployments - Inbound Traffic

Liferay also recommends that server administrators disable support for TLS 1.0 and enable higher TLS protocols for inbound traffic on all Liferay Portal CE/EE and Liferay DXP deployments. The actual settings to enable and configure TLS can vary on each deployment, so system administrators should consult with their Application Server documentation and apply the necessary changes.

Related Resources

• Oracle Documentation: JDK 8 Security Enhancements

• Oracle Documentation: Java SE 7 Security Enhancements

• Oracle Blog: JDK 8 will use TLS 1.2 as default

• Oracle Blog: Diagnosing TLS, SSL, and HTTPS

• JDK Bug System: JDK-7093640 Enable client-side TLS 1.2 by default

• Oracle Documentation: Java SE Development Kit 7, Update 95 (JDK 7u95)

• IBM Support: How do I change the default SSL protocol my Java Client Application will use?