Delayed until January 11, 2019

Disabling TLS 1.0 for Inbound Traffic on Liferay Services and Websites

We previously announced that Liferay would be disabling TLS 1.0 for inbound secure connections on all systems and services at the end of November. However, we decided to delay this date in order to give customers more time to implement changes and install patches. We disabled TLS 1.0 for inbound secure connections to Liferay systems and services on January 11, 2019.

Mitigation

The Mitigation Notes for Deployment section of the related Knowledge Base article details a known issue which prevents manually configuring the https.protocols system property to control the allowed TLS protocols for outbound HTTPS connections.

When do you need the fix?

• Deployments running on Java 8 may want to apply this fix to disable TLS 1.0 for outbound HTTPS requests. TLS 1.1 and 1.2 are enabled by default in Java 8. Recommended
• Deployments running on Java 7 requires this fix in order to enable TLS 1.1/1.2 (and also to disable TLS 1.0) for outbound HTTPS connections unless using Java 7u111. Required

How can you get the fix?

Users can access the fix for LPE-16580 through the following methods:

• Liferay DXP 7.0, 7.1: Customers can download the latest fix pack (7.0 Fix Pack 64+ or 7.1 Fix Pack 4+) or open a Help Center ticket to request a hotfix.
• Liferay 6.2 EE, 6.1 EE GA3: Customers can download the latest fix pack (Portal-169+ or Portal-71+) or open a Help Center ticket to request a hotfix.