Articles in this section

See more

Disabling older versions of TLS in Portfolio

Avatar
Jay
  • Updated

Affected versions

This article applies to Portfolio 3.6.3 through Portfolio 4.0.1.

Solution

You can disable TLS 1.0 and 1.1 for the Portfolio client, Portfolio Administration, and Portfolio NetPublish services.

Stopping the Portfolio services

To stop the Portfolio services on Windows Server, open the Services panel (services.msc) and stop the Portfolio Server and Portfolio Server Admin services. NetPublish will also shut down; the other services can continue running.

To stop the Portfolio services on macOS:

  1. Log in to Portfolio Administration
  2. On the Status panel, click Stop Portfolio
  3. Open a Terminal window (/Applications/Utilities/Terminal) using an Administrator account
  4. Enter the following command and press Enter:
    sudo launchctl unload /Library/LaunchDaemons/com.extensis.dam-server.web.admin.launchd.plist

Modifying the standalone.xml files on Windows

Go to C:\Program Files\Extensis\Portfolio Server\applications\tomcat\servers\admin\conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file admin-server.xml.

Open the original server.xml in a text editor and look for the following section:

sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1"
URIEncoding="UTF-8"

Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1" to enabled-protocols="TLSv1.2" and save the changes.

Go to C:\Program Files\Extensis\Portfolio Server\applications\tomcat\servers\main\conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file main-server.xml.

Open the original server.xml in a text editor and look for the following section:

sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1"
URIEncoding="UTF-8"

Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1" to enabled-protocols="TLSv1.2" and save the changes.

Modifying the standalone.xml files on macOS

Go to /Applications/Extensis/Portfolio Server/applications/tomcat/servers/admin/conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file admin-server.xml.

Open the original server.xml in a text editor and look for the following section:

sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1"
URIEncoding="UTF-8"

Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1" to enabled-protocols="TLSv1.2" and save the changes.

Go to /Applications/Extensis/Portfolio Server/applications/tomcat/servers/main/conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file main-server.xml.

Open the original server.xml in a text editor and look for the following section:

sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1"
URIEncoding="UTF-8"

Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1" to enabled-protocols="TLSv1.2" and save the changes.

Patching Portfolio NetPublish for macOS

To disable TLS 1.0 and 1.1 in Portfolio NetPublish, you can download an updated www file from https://cs.extensis.com/dam/portfolio/www.zip.

  1. Unzip the www file
  2. Go to /Applications/Extensis/Portfolio Server/applications/netpublish/bin
  3. Move the existing www file to the Desktop
  4. Move the new www file into the folder

When the Portfolio Server service is restarted, NetPublish will use the new file.

Patching Portfolio NetPublish for Windows

To disable TLS 1.0 and 1.1 in Portfolio NetPublish, you can download an updated www file from https://cs.extensis.com/dam/portfolio/www.zip.

  1. Unzip the www file
  2. Go to C:\Program Files\Extensis\Portfolio Server\applications\netpublish\bin
  3. Move the existing www file to the Desktop
  4. Move the new www file into the folder

When the Portfolio Server service is restarted, NetPublish will use the new file.

Restarting the Portfolio services

To start the Portfolio services on Windows Server, open the Services panel and start the Portfolio Server and Portfolio Server Admin services. NetPublish will start automatically.

To start the Portfolio services on macOS:

  1. Open a Terminal window (/Applications/Utilities/Terminal) using an Administrator account
  2. Enter the following command and press Enter:
    sudo launchctl load /Library/LaunchDaemons/com.extensis.dam-server.web.admin.launchd.plist
  3. Log in to Portfolio Administration
  4. On the Status panel, click Start Portfolio

Verifying that TLS 1.0 and 1.1 are disabled in Portfolio

OpenSSL can test an HTTPS connection to confirm TLS 1.0 and 1.1 are disabled. You can get a Windows installer for OpenSSL 1.1.1 at https://slproweb.com/download/Win64OpenSSL_Light-1_1_1q.exe; macOS ships with OpenSSL installed.

Open a Terminal window (macOS) or a Command Prompt window (Windows). Enter the following command, replacing <servername> with your Portfolio server address:

openssl s_client -connect <servername>:9443 -tls1

To test the Portfolio Administration connection, use:

openssl s_client -connect <servername>:9453 -tls1

To test the Portfolio NetPublish connection, use:

openssl s_client -connect <servername>:8095 -tls1

To test TLS 1.1, replace -tls1 with -tls1_1 in the commands.

You will see a response like:

140736060793800:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.3/libressl/ssl/s3_pkt.c:321:
CONNECTED(00000005)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1641422564
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Related articles