Choose SSL protocol Client and Server use in an end-to-end connection


Article ID: 168277


Updated On:


ProxySG Software - SGOS


CPL policy can be created in the ProxySG in order to specify one or a selection of SSL protocols that can be allowed or denied.

This also can be done globally, or to specific URLs, IP, etc…

For example, in an end-to-end connection:

  1. The ProxySG appliance accepts the hello from the server.
  2. The ProxySG appliance forwards the server's hello to the client.
  3. The client either accepts or rejects the server's hello.
    • The client accepts the server's hello. The appliance acknowledges both the server and client. The server and client exchange certificates and establish a connection.
    • The client rejects the server's hello. The server requests a different protocol and the client either rejects or accepts the server. If the client does not agree to any of the protocols the server requests, the ProxySG appliance drops the connection.


The ProxySG appliance has settings that you can configure to support SSL protocol. See the Editing an SSL Client section of the Administration Guide.

Note: The SSL Client settings are applicable when the ProxySG appliance is acting as an SSL Client by initiating its own SSL connections, for example, when acting as:

  • A reverse proxy
  • The Blue Coat Web Filter
  • A licensing portal


You can also specify the preferred SSL and TLS protocol versions in the proxy.

To make this change globally you can do this via CPL or from the Management Console.


To edit the SSL client from  Management Console:

  • Select Configuration > SSL> SSL Client.
  • Choose Keyring to be affected.
  • Select any combination of Protocols listed.
  • Click Apply.


To edit the SSL client via CPL the syntax for this policy for the client is:




And the syntax for the server is:




To edit the SSL client for a specific URL via CPL, or any other condition, you can use the sample script:

<ssl>   client.connection.negotiated_ssl_version=SSLV2,SSLV3,TLSV1,TLSV1.1 deny   server.connection.negotiated_ssl_version=SSLV2,SSLV3,TLSV1,TLSV1.1 deny   client.connection.negotiated_ssl_version=TLSV1.2 allow   server.connection.negotiated_ssl_version=TLSV1.2 allow