Affected versions
This article applies to Portfolio 3.6.3 through Portfolio 4.0.
Solution
You can disable TLS 1.0 and 1.1 for the Portfolio client, Portfolio Administration, and Portfolio NetPublish services.
Stopping the Portfolio services
To stop the Portfolio services on Windows Server, open the Services panel (services.msc) and stop the Portfolio Server and Portfolio Server Admin services. NetPublish will also shut down; the other services can continue running.
To stop the Portfolio services on macOS:
- Log in to Portfolio Administration
- On the Status panel, click Stop Portfolio
- Open a Terminal window (/Applications/Utilities/Terminal) using an Administrator account
- Enter the following command and press Enter:
sudo launchctl unload /Library/LaunchDaemons/com.extensis.dam-server.web.admin.launchd.plist
Modifying the standalone.xml files on Windows
Go to C:\Program Files\Extensis\Portfolio Server\applications\tomcat\servers\admin\conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file admin-server.xml.
Open the original server.xml in a text editor and look for the following section:
sslProtocol="TLS" sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1" URIEncoding="UTF-8"
Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1" to enabled-protocols="TLSv1.2" and save the changes.
Go to C:\Program Files\Extensis\Portfolio Server\applications\tomcat\servers\main\conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file main-server.xml.
Open the original server.xml in a text editor and look for the following section:
sslProtocol="TLS" sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1" URIEncoding="UTF-8"
Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1" to enabled-protocols="TLSv1.2" and save the changes.
Modifying the standalone.xml files on macOS
Go to /Applications/Extensis/Portfolio Server/applications/tomcat/servers/admin/conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file admin-server.xml.
Open the original server.xml in a text editor and look for the following section:
sslProtocol="TLS" sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1" URIEncoding="UTF-8"
Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1" to enabled-protocols="TLSv1.2" and save the changes.
Go to /Applications/Extensis/Portfolio Server/applications/tomcat/servers/main/conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file main-server.xml.
Open the original server.xml in a text editor and look for the following section:
sslProtocol="TLS" sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1" URIEncoding="UTF-8"
Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1" to enabled-protocols="TLSv1.2" and save the changes.
Patching Portfolio NetPublish for macOS
To disable TLS 1.0 and 1.1 in Portfolio NetPublish, you can download an updated www file from https://cs.extensis.com/dam/portfolio/www.zip.
- Unzip the www file
- Go to /Applications/Extensis/Portfolio Server/applications/netpublish/bin
- Move the existing www file to the Desktop
- Move the new www file into the folder
When the Portfolio Server service is restarted, NetPublish will use the new file.
Patching Portfolio NetPublish for Windows
To disable TLS 1.0 and 1.1 in Portfolio NetPublish, you can download an updated www file from https://cs.extensis.com/dam/portfolio/www.zip.
- Unzip the www file
- Go to C:\Program Files\Extensis\Portfolio Server\applications\netpublish\bin
- Move the existing www file to the Desktop
- Move the new www file into the folder
When the Portfolio Server service is restarted, NetPublish will use the new file.
Restarting the Portfolio services
To start the Portfolio services on Windows Server, open the Services panel and start the Portfolio Server and Portfolio Server Admin services. NetPublish will start automatically.
To start the Portfolio services on macOS:
- Open a Terminal window (/Applications/Utilities/Terminal) using an Administrator account
- Enter the following command and press Enter:
sudo launchctl load /Library/LaunchDaemons/com.extensis.dam-server.web.admin.launchd.plist - Log in to Portfolio Administration
- On the Status panel, click Start Portfolio
Verifying that TLS 1.0 and 1.1 are disabled in Portfolio
OpenSSL can test an HTTPS connection to confirm TLS 1.0 and 1.1 are disabled. You can get a Windows installer for OpenSSL 1.1.1 at https://slproweb.com/download/Win64OpenSSL_Light-1_1_1q.exe; macOS ships with OpenSSL installed.
Open a Terminal window (macOS) or a Command Prompt window (Windows). Enter the following command, replacing <servername> with your Portfolio server address:
openssl s_client -connect <servername>:9443 -tls1
To test the Portfolio Administration connection, use:
openssl s_client -connect <servername>:9453 -tls1
To test the Portfolio NetPublish connection, use:
openssl s_client -connect <servername>:8095 -tls1
To test TLS 1.1, replace -tls1 with -tls1_1 in the commands.
You will see a response like:
140736060793800:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.3/libressl/ssl/s3_pkt.c:321:
CONNECTED(00000005)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1641422564
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---