-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 6.1 EE GA1 (6.1.10), 6.1 EE GA2 (6.1.20), 6.1 EE GA3 (6.1.30), 6.2 EE GA1 (6.2.10), 7.0 DE (7.0.10), 7.1 DXP (7.1.10)
-
Component/s: Application Security
-
Fix Pack Status:Scheduled
-
7.0 Fix Pack Version:64
-
7.1 Fix Pack Version:4
Please visit https://help.liferay.com/hc/en-us/articles/360019140811 or https://community.liferay.com/blogs/-/blogs/liferay-security-announcement-tls-v1-0 for further information.
The following Java system properties are now supported and have been added to 'system.properties':
##
## HTTPS
##
#
# Input a list of comma delimited HTTPS cipher suites allowed for HTTPS
# connection to a 3rd party server.
#
#https.cipherSuites=
#
# Input a list of comma delimited protocols allowed for HTTPS connection to
# a 3rd party server. For example -Dhttps.protocols=TLSv1.1,TLSv1.2 disables
# outbound TLS 1.0 connections.
#
#https.protocols=
When do you need this fix?
- Deployments running on Java 8 may want to apply this fix to disable TLS 1.0 for outbound HTTPS requests. TLS 1.1 and 1.2 are enabled by default in Java 8. >>> Recommended.
- Deployments running on Java 7 requires this fix in order to enable TLS 1.1/1.2 (and also to disable TLS 1.0) for outbound HTTPS connections unless using Java 7u111. >>> Required.