To configure TLS security settings on both the Client side and the Server side, proceed to TLS security settings.
Figure 402: <Protocol> Control > Settings > TLS security settings - configuring TLS security settings
-
Cipher strength specifies the cipher string OpenSSL will use. The following options are possible:
-
Recommended: this setting only uses ciphers with adequate security level.
-
Custom: this setting allows you to specify the list of ciphers you want to permit SPS to use in the connection. This setting is only recommended to ensure compatibility with older systems. For more details on customizing this list, check the 'openssl-ciphers' manual page on your SPS appliance.
For example: ALL:!aNULL:@STRENGTH
-
-
Minimum TLS version specifies the minimal TLS version SPS will offer during negotiation. The following options are possible:
-
TLS 1.2: this setting only offers TLS version 1.2 during the negotiation. This is the recommended setting.
-
TLS 1.1: this setting offers TLS version 1.1 and later versions during the negotiation.
-
TLS 1.0: this setting offers TLS version 1.0 and later versions during the negotiation.
NOTE: Setting up sessions to legacy systems that do not support at least TLS 1.2 is only possible when the security level of the connection is degraded to 0, which is possible by specifying the TLS ciphers manually and appending the string `:@SECLEVEL=0` to the cipher list. However, this setting also enables the use of known vulnerable algorithms and key sizes, therefore it is absolutely critical to only use such connection settings when it is necessary and when you can fully trust your network between SPS and the legacy system. It is strongly recommended to use different security settings on the server and the client side of the connection, when degrading the security level of a connection is unavoidable.
-
NOTE: Note that SPS only permits TLS-encrypted connections. SSLv3 is not supported.