Affected versions
This article applies to Universal Type Server 7. These instructions will not work for Universal Type Server 6 or earlier versions.
Solution
Universal Type Server 7 disables TLS 1.1 by default.
TLS 1.0 is enabled to allow Universal Type Client 6 to connect to UTS 7. If you want to disable TLS 1.0, make sure your users have upgraded to UTC 7.
Stopping the Universal Type Server services
To stop the UTS services on Windows Server, open the Services panel (services.msc) and stop the Universal Type Server and Universal Type Server Web Admin services. The other services can continue running.
To stop the UTS services on macOS, open a Terminal window (/Applications/Utilities/Terminal) using an Administrator account. Enter the following command and press Enter:
sudo launchctl unload /Library/LaunchDaemons/com.extensis.server.web.admin.launchd.plist
Modifying the standalone.xml file
On Windows, go to C:\Program Files\Extensis\Universal Type Server\applications\jboss\standalone\configuration. On macOS, go to /Applications/Extensis/Universal Type Server/applications/jboss/standalone/configuration.
Make a backup of standalone.xml by dragging a copy to the Desktop. Open the original standalone.xml in a text editor and look for the following section:
<https-listener name="https" secure="true" max-connections="100" max-post-size="2147483648" enabled-protocols="TLSv1,TLSv1.2" enabled-cipher-suites=" TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA" security-realm="UndertowRealm" socket-binding="https" disallowed-methods="TRACE TRACK" />
Change enabled-protocols="TLSv1,TLSv1.2"
to enabled-protocols="TLSv1.2"
and save the changes.
Restarting the Universal Type Server services
To start the UTS services on Windows Server, open the Services panel and start the Universal Type Server and Universal Type Server Web Admin services.
To start the UTS services on macOS, open a Terminal window using an Administrator account. Enter the following command and press Enter:
sudo launchctl load /Library/LaunchDaemons/com.extensis.server.web.admin.launchd.plist
Log in to Server Administration and set the server state to Started.
Verifying that TLS 1.0 is disabled in Universal Type Server
OpenSSL can test an HTTPS connection to confirm TLS 1.0 is not available. You can get a Windows installer for OpenSSL 1.1.1 at https://slproweb.com/download/Win64OpenSSL_Light-1_1_1t.exe; macOS ships with OpenSSL installed.
Open a Terminal window (macOS) or a Command Prompt window (Windows). Enter the following command, replacing <servername>
with your UTS server address:
openssl s_client -connect <servername>:8443 -tls1
You will see a response like:
140736060793800:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.3/libressl/ssl/s3_pkt.c:321: CONNECTED(00000005) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1641422564 Timeout : 7200 (sec) Verify return code: 0 (ok) ---