Affected versions
This article applies to Portfolio 3.6.3 and Portfolio 4.0.
Solution
You can disable TLS 1.0 and 1.1 for the Portfolio client and Portfolio Administration services.
Stopping the Portfolio services
To stop the Portfolio services on Windows Server, open the Services panel (services.msc) and stop the Portfolio Server and Portfolio Server Admin services. The other services can continue running.
To stop the Portfolio services on macOS:
- Log in to Portfolio Administration
- On the Status panel, click Stop Portfolio
- Open a Terminal window (/Applications/Utilities/Terminal) using an Administrator account
- Enter the following command and press Enter:
sudo launchctl unload /Library/LaunchDaemons/com.extensis.dam-server.web.admin.launchd.plist
Modifying the standalone.xml files on Windows
Go to C:\Program Files\Extensis\Portfolio Server\applications\tomcat\servers\admin\conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file admin-server.xml.
Open the original server.xml in a text editor and look for the following section:
sslProtocol="TLS" sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1" URIEncoding="UTF-8"
Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1"
to enabled-protocols="TLSv1.2"
and save the changes.
Go to C:\Program Files\Extensis\Portfolio Server\applications\tomcat\servers\main\conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file main-server.xml.
Open the original server.xml in a text editor and look for the following section:
sslProtocol="TLS" sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1" URIEncoding="UTF-8"
Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1"
to enabled-protocols="TLSv1.2"
and save the changes.
Modifying the standalone.xml files on macOS
Go to /Applications/Extensis/Portfolio Server/applications/tomcat/servers/admin/conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file admin-server.xml.
Open the original server.xml in a text editor and look for the following section:
sslProtocol="TLS" sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1" URIEncoding="UTF-8"
Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1"
to enabled-protocols="TLSv1.2"
and save the changes.
Go to /Applications/Extensis/Portfolio Server/applications/tomcat/servers/main/conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file main-server.xml.
Open the original server.xml in a text editor and look for the following section:
sslProtocol="TLS" sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1" URIEncoding="UTF-8"
Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1"
to enabled-protocols="TLSv1.2"
and save the changes.
Restarting the Portfolio services
To start the Portfolio services on Windows Server, open the Services panel and start the Portfolio Server and Portfolio Server Admin services.
To stop the Portfolio services on macOS:
- Open a Terminal window (/Applications/Utilities/Terminal) using an Administrator account
- Enter the following command and press Enter:
sudo launchctl load /Library/LaunchDaemons/com.extensis.dam-server.web.admin.launchd.plist
- Log in to Portfolio Administration
- On the Status panel, click Start Portfolio
Verifying that TLS 1.0 and 1.1 are disabled in Portfolio
OpenSSL can test an HTTPS connection to confirm TLS 1.0 and 1.1 are disabled. You can get a Windows installer for OpenSSL 1.1.1 at https://slproweb.com/download/Win64OpenSSL_Light-1_1_1m.exe; macOS ships with OpenSSL installed.
Open a Terminal window (macOS) or a Command Prompt window (Windows). Enter the following command, replacing <servername>
with your Portfolio server address:
openssl s_client -connect <servername>:9443 -tls1
To test the Portfolio Administration connection, use:
openssl s_client -connect <servername>:9453 -tls1
To test TLS 1.1, replace -tls1
with -tls1_1
in the commands.
You will see a response like:
140736060793800:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.3/libressl/ssl/s3_pkt.c:321: CONNECTED(00000005) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1641422564 Timeout : 7200 (sec) Verify return code: 0 (ok) ---