Disable TLS versions SSLv3, TLSv1.0, or TLS 1.
search cancel

Disable TLS versions SSLv3, TLSv1.0, or TLS 1.

book

Article ID: 383145

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

How to disable TLS versions.

Environment

ProxySG

Resolution

Use more secure TLS versions to harden the SSL connection.

- By default, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 are all enabled for SSL proxy traffic.
- The use of SSLv3, TLSv1.0, or TLS 1.1 is not recommended due to various vulnerabilities in these protocol versions.

For best security, use the following CPL gestures:

<ssl>
client.connection.negotiated_ssl_version=(SSLV3,TLSv1,TLSv1.1) force_exception(silent_denied)

<ssl>
server.connection.negotiated_ssl_version=(SSLV3,TLSv1,TLSv1.1) force_exception(silent_denied)

Before disabling SSLv3, TLSv1.0, and TLS 1.1, verify that all clients and servers with traffic going through the appliance support TLSv1.2 or later.

For SGOS version 7.3.8.1 and later:
Specify the SSL/TLS versions to use for connections instead of denying connections that negotiated less-secure versions. In the web VPM, add the Set Client Min Max SSL Version and Set Server Min Max SSL Version
 objects to the policy to specify a range of SSL/TLS versions for matching transactions.

Alternatively, use CPL such as the following examples:

; when connecting to example.com

; accept only TLSv1.2 and TLSv1.3 on the server side

<ssl>
   url.domain="example.com" server.connection.min_ssl_version(tlsv1.2) 
   server.connection.max_ssl_version(tlsv1.3)

; when connecting to example.com, accept only TLSv1.1 and higher

<ssl>
  client.connection.ssl_server_name=www.example.com client.connection.min_ssl_version(tlsv1.1)