2

I've got a Liferay 6.2 server running on tomcat 7.0 behind Apache 2.4. Apache is handling SSL for the site that Liferay is serving, and all is well with inbound connections. What I'm having some trouble with is that one of the important parts of the site embeds content (with authorization) from another of our servers, and when the site process makes the outbound HTTPS query, it apparently fails handshake all the way back to TLS 1.0.

This means I can't secure the second server better until I can fix the Liferay server so it will accept an answer with a better version of TLS. This is proving to be hard for me to search about, since virtually all resources on the web and here on SF seem to be about securing inbound connections, not outbound ones.

The Liferay server needs to make the outbound call to get an authorization token that it rewrites into the URL for the embedded content presented to the user's browser.

Unfortunately, I'm not very well versed in the Java ecosystem, and I didn't write the code that's reaching out to the second server. I'm hoping someone has had some similar experience and can share with me, if not an answer, at least some terminology that might be better to research with. Here's hoping.

Dave
  • 21
  • 1
  • Is it not the responsability of the server you are making the outbound connection to, to present you with an HTTPS session? As i read your post you want to make an outbound HTTPS session through your own web server? – Cristian Matthias Ambæk Mar 28 '18 at 11:09
  • sounds like a question for stackoverflow to define java classes and such to do SSL connections. – ezra-s Mar 28 '18 at 14:51
  • What version of java are you using? Java 7 should be fine, but if you're still on Java 6 you may need to add "-Dhttps.protocols=TLSv1.2 -Ddeployment.security.TLSv1.2=true" to your tomcat startup (setenv.sh/tomcat7.conf). – Jason Floyd Mar 28 '18 at 15:35
  • Thanks for your thoughts. @CristianMatthiasAmbæk, I thought that should work, but I only discovered this issue when i disabled everything less than TLS 1.2 on the other server. Once I did that, the Liferay started failing to connect and pull tokens. I re-enabled a version at at time and tested, and Liferay wouldn't successfully reconnect until I re-enabled TLS 1.0. – Dave Mar 28 '18 at 15:47
  • @JasonFloyd, that seems promising, and it gives me something to search on. Am I correct that those would be parameters to add to $CATALINA_OPTS? On the other hand, we are using Java SE 1.7.0_76, so Java 7. Maybe misconfigured somehow? – Dave Mar 28 '18 at 15:48

0 Answers0