Layer7 API Management

Does anyone know how to change the TLS version globally vs in each routing assertion?

Dear JustusSrigiri18000637 ,

You can specify the TLS version for ports, on policy manager -> Tasks -> Transports -> Manage Listen Ports -> open port properties window -> SSL/TLS Settings tab -> Enable TLS versions

Regards,

Mark

That works for inbound connections. I am looking for outbound.

Justus, 

You would have to change this on each route via HTTP assertion, as far as I know, there is no Global change, since each route via HTTP assertion is a separate outbound connection (client - server)

Cheers
Kemal 

I am thinking there is because in one env Gateway is using TLS1.2 for all outbound evident via tcpdump and the other (the culprit) is using SSLv3. Same default settings for the routing assertion in both envs. And Gateway should default to using TLS1.2 and NOT SSLv3.

Further, its a hassle to change in every routing assertion.

If I am not mistaken the following system.properties option should do the trick.

https.protocols=

Like,

https.protocols=TLSv1

Thanks.

hey CHARLES

yeah this worked for versions before 9.2

1) Set the routing assertion version to <Any>
2) Add a comma-separated list of tls versions to the https.protocols parameter in /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
https.protocols=TLSv1.2,TLSv1

Now, in 9.2 TLS default provider has changed, not sure if this is still good to go. 
Anyway, you would still have to change each route via https assertion, TLS to 'Any'

Thanks 
Kemal

Justus,

The options provided of changing the system.properties file is currently the only option to force just a specific protocol to be used.

Sincerely,

Stephen Hughes

Director, CA Support

Thanks Stephen