Articles in this section

See more

Disabling older versions of TLS in Portfolio

Avatar
Jay
  • Updated

Affected versions

This article applies to Portfolio 3.6.3 and Portfolio 4.0.

Solution

You can disable TLS 1.0 and 1.1 for the Portfolio client and Portfolio Administration services.

Stopping the Portfolio services

To stop the Portfolio services on Windows Server, open the Services panel (services.msc) and stop the Portfolio Server and Portfolio Server Admin services. The other services can continue running.

To stop the Portfolio services on macOS:

  1. Log in to Portfolio Administration
  2. On the Status panel, click Stop Portfolio
  3. Open a Terminal window (/Applications/Utilities/Terminal) using an Administrator account
  4. Enter the following command and press Enter:
    sudo launchctl unload /Library/LaunchDaemons/com.extensis.dam-server.web.admin.launchd.plist

Modifying the standalone.xml files on Windows

Go to C:\Program Files\Extensis\Portfolio Server\applications\tomcat\servers\admin\conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file admin-server.xml.

Open the original server.xml in a text editor and look for the following section:

sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1"
URIEncoding="UTF-8"

Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1" to enabled-protocols="TLSv1.2" and save the changes.

Go to C:\Program Files\Extensis\Portfolio Server\applications\tomcat\servers\main\conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file main-server.xml.

Open the original server.xml in a text editor and look for the following section:

sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1"
URIEncoding="UTF-8"

Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1" to enabled-protocols="TLSv1.2" and save the changes.

Modifying the standalone.xml files on macOS

Go to /Applications/Extensis/Portfolio Server/applications/tomcat/servers/admin/conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file admin-server.xml.

Open the original server.xml in a text editor and look for the following section:

sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1"
URIEncoding="UTF-8"

Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1" to enabled-protocols="TLSv1.2" and save the changes.

Go to /Applications/Extensis/Portfolio Server/applications/tomcat/servers/main/conf. Make a backup of server.xml by dragging a copy to the Desktop; rename the file main-server.xml.

Open the original server.xml in a text editor and look for the following section:

sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1"
URIEncoding="UTF-8"

Change enabled-protocols="TLSv1.2+TLSv1.1+TLSv1" to enabled-protocols="TLSv1.2" and save the changes.

Restarting the Portfolio services

To start the Portfolio services on Windows Server, open the Services panel and start the Portfolio Server and Portfolio Server Admin services.

To stop the Portfolio services on macOS:

  1. Open a Terminal window (/Applications/Utilities/Terminal) using an Administrator account
  2. Enter the following command and press Enter:
    sudo launchctl load /Library/LaunchDaemons/com.extensis.dam-server.web.admin.launchd.plist
  3. Log in to Portfolio Administration
  4. On the Status panel, click Start Portfolio

Verifying that TLS 1.0 and 1.1 are disabled in Portfolio

OpenSSL can test an HTTPS connection to confirm TLS 1.0 and 1.1 are disabled. You can get a Windows installer for OpenSSL 1.1.1 at https://slproweb.com/download/Win64OpenSSL_Light-1_1_1m.exe; macOS ships with OpenSSL installed.

Open a Terminal window (macOS) or a Command Prompt window (Windows). Enter the following command, replacing <servername> with your Portfolio server address:

openssl s_client -connect <servername>:9443 -tls1

To test the Portfolio Administration connection, use:

openssl s_client -connect <servername>:9453 -tls1

To test TLS 1.1, replace -tls1 with -tls1_1 in the commands.

You will see a response like:

140736060793800:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.3/libressl/ssl/s3_pkt.c:321:
CONNECTED(00000005)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1641422564
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Related articles