Disable TLS versions SSLv3, TLSv1.0, or TLS 1.
Article ID: 383145
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
How to disable TLS versions.
Environment
ProxySG
Resolution
Use more secure TLS versions to harden the SSL connection.
For best security, use the following CPL gestures:
- By default, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 are all enabled for SSL proxy traffic.
- The use of SSLv3, TLSv1.0, or TLS 1.1 is not recommended due to various vulnerabilities in these protocol versions.
For best security, use the following CPL gestures:
<ssl>
client.connection.negotiated_ssl_version=(SSLV3,TLSv1,TLSv1.1) force_exception(silent_denied)
<ssl>
server.connection.negotiated_ssl_version=(SSLV3,TLSv1,TLSv1.1) force_exception(silent_denied)
Before disabling SSLv3, TLSv1.0, and TLS 1.1, verify that all clients and servers with traffic going through the appliance support TLSv1.2 or later.
For SGOS version 7.3.8.1 and later:
Specify the SSL/TLS versions to use for connections instead of denying connections that negotiated less-secure versions. In the web VPM, add the Set Client Min Max SSL Version and Set Server Min Max SSL Version
objects to the policy to specify a range of SSL/TLS versions for matching transactions.
objects to the policy to specify a range of SSL/TLS versions for matching transactions.
Alternatively, use CPL such as the following examples:
; when connecting to example.com
; accept only TLSv1.2 and TLSv1.3 on the server side
<ssl>
url.domain="example.com" server.connection.min_ssl_version(tlsv1.2)
server.connection.max_ssl_version(tlsv1.3)
; when connecting to example.com, accept only TLSv1.1 and higher
<ssl>
client.connection.ssl_server_name=www.example.com client.connection.min_ssl_version(tlsv1.1)
Feedback
Yes
No
Powered by
