We want to know if there is anyway to change the TLS version for outbound connections at the gateway level i.e. by changing cluster wide properties or another way.

We know that we can enforce the TLS version that we want to for outbound connections at Policy Level in HTTP routing assertion, we want to know if there is any setting we can add at the gateway level to enforce a particular TLS Version (for outbound).

All Supported versions of the CA API Gateway

There is not a cluster wide property to control/set this for inbound requests, however Gateway 10.1 disabled weak protocols of TLS 1.0 and 1.1 .

This is controlled by the JDK java.security file, changes to this file require a restart and may have unexpected issue with other functionality of the gateway .

This is a Global effect for inbound and outbound requests.   This file can be used to disable/enable protocols: /opt/SecureSpan/JDK/conf/security/java.security

The latest version disabled the following: (gateway 10.1/11.0)

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \

    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \

    include jdk.disabled.namedCurves

Looks for line 

Gateway 10.0 appliance /opt/JDK/jre/lib/security/java.security

LINE:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \

      DSA keySize < 1024, include jdk.disabled.namedCurves