cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

TLS Supported versions...

Tyson_James
Altostratus
Altostratus

Our Security Team has requested that we enable support for TLS 1.2 and TLS 1.3 and disable support for TLS 1.0. I am looking at our client ssl profile and it currently has the following as Enabled Options : Don't insert empty fragments, No SSL, No TLSv1.3 and No SSLv3. Should I remove No TLSv1.3 and add No TLSv1? Would that accomplish what our Security Team is looking to do?

2 REPLIES 2

Fallout1984
Cirrocumulus
Cirrocumulus

For the enabled options, you can do:

 

Don't insert empty fragments, No TLSv1, No TLSv1.1, No SSLv2 and No SSLv3 (if that one's listed).

 

Also, if No TLSv1.3 is there, then remove it. Once you're finished, you can check the site cert (if it's accessible from off-site) via ssllabs.com - you can run a check/report there which will give you a score.

 

Note that your cert security is not just enabled/disabled TLS, SSL, etc. The ciphers you allow/disallow matter as well. You can try "DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH" (the @STRENGTH will begin cipher negotiation with the strongest and proceed to the weakest). The downside can be backend servers/apps that don't play well with newer ciphers so, like they say, "your mileage may vary."

 

This page has some useful info regarding SSL/TLS Best Practices:

https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

 

Good Luck!

Alan

Thank you. I will try this out.