This website uses cookies to ensure you get the best experience. Learn More.
Liferay Security Announcement: TLS v1.0
The vulnerabilities in TLS 1.0 (and SSL protocols) include POODLE and DROWN. Due to these security risks, Liferay decided to disable TLS 1.0, as many other companies have done.
Moving to TLS 1.1 and higher will allow users to keep communications between Liferay and Liferay.com secure.
We will support TLS 1.1 and above.
Liferay Portal CE and Liferay DXP Functionality
Liferay DXP Functionality
Licensing (via order id, EE only)
Liferay Websites
api.liferay.com
cdn.lfrs.sl
community.liferay.com
customer.liferay.com
demo.liferay.com
dev.liferay.com
downloads.liferay.com
forms.liferay.com
learn.liferay.com
liferay.com
liferay.com.br
liferay.com.cn
liferay.de
liferay.es
liferay.org
marketplace.liferay.com
mp.liferay.com
origin.lfrs.sl
partner.liferay.com
services.liferay.com
support.liferay.com
translate.liferay.com
www.liferay.com
releases.liferay.com (tentative)
repository.liferay.com (tentative)
There are Liferay Portal CE/EE and Liferay DXP functionalities and applications that make outbound connections to remote servers (including Liferay services and websites). Server administrators should review their deployment configurations and adjust them (if needed) to enable initiating secure connections using a higher TLS protocol version and to prevent falling back to TLS 1.0.
On Java 8, the default client-side TLS version is TLS 1.2 (TLS 1.1 is also supported and enabled). Java 8 also introduced a new system property called jdk.tls.client.protocols to configure which protocols are enabled.
On Java 7, the default client-side TLS version is TLS 1.0, but TLS 1.1 and 1.2 are also supported, though must be enabled manually. As of Java 7u111, TLS 1.2 is also enabled by default, though this update is available for Oracle Subscribers only.
The system property, jdk.tls.client.protocols, is available as of Java 7u95 (for Oracle Subscribers only).
On Java 6, the default and only client-side TLS version is TLS 1.0. As of Java 6u111, TLS 1.1 is also supported, though this update is available for Oracle Subscribers only.
There is another Java system property available called https.protocols, which controls the protocol version used by Java clients in certain cases (see details on Oracle's blog: Diagnosing TLS, SSL, and HTTPS).
As a result of these, Liferay Portal CE and DXP deployments are affected differently.
Liferay Portal CE 7.0 and Liferay DXP 7.0 and above require Java 8, so these deployments have TLS 1.2 enabled by default and ensure that outbound connections can use higher secure protocol versions. To improve your server's security, Liferay recommends disabling TLS 1.0 for clients (outbound connections) using the system properties mentioned above.
Liferay Portal 6.2 CE/EE and 6.1 EE GA3 versions support Java 8, which has TLS 1.2 enabled by default. Liferay Portal CE 6.1 does not support Java 8. Liferay recommends disabling TLS 1.0 for clients (outbound connections) using the system properties mentioned above.
Liferay Portal EE 6.1 and Liferay Portal CE/EE 6.2 deployments running on Java 7 should consider moving to Java 8. Liferay Portal 6.1 CE deployments should consider upgrading to a newer version with Java 8 support. There is a known issue that prevents enabling TLS 1.1/1.2 manually using the system properties mentioned earlier.
Liferay also recommends that server administrators disable support for TLS 1.0 and enable higher TLS protocols for inbound traffic on all Liferay Portal CE/EE and Liferay DXP deployments. The actual settings to enable and configure TLS can vary on each deployment, so system administrators should consult with their Application Server documentation and apply the necessary changes.
Oracle Documentation: JDK 8 Security Enhancements
Oracle Documentation: Java SE 7 Security Enhancements
Oracle Blog: JDK 8 will use TLS 1.2 as default
Oracle Blog: Diagnosing TLS, SSL, and HTTPS
JDK Bug System: JDK-7093640 Enable client-side TLS 1.2 by default
Oracle Documentation: Java SE Development Kit 7, Update 95 (JDK 7u95)
IBM Support: How do I change the default SSL protocol my Java Client Application will use?