Layer 7 API Management

Expand all | Collapse all

Globally Change outbound TLS version

Jump to Best Answer
  • 1.  Globally Change outbound TLS version

    Posted 09-18-2017 04:58 PM

    Does anyone know how to change the TLS version globally vs in each routing assertion?



  • 2.  Re: Globally Change outbound TLS version

    Posted 09-18-2017 06:51 PM

    Dear JustusSrigiri18000637 ,

    You can specify the TLS version for ports, on policy manager -> Tasks -> Transports -> Manage Listen Ports -> open port properties window -> SSL/TLS Settings tab -> Enable TLS versions

     

    Regards,

    Mark



  • 3.  Re: Globally Change outbound TLS version

    Posted 09-18-2017 06:57 PM

    That works for inbound connections. I am looking for outbound.



  • 4.  Re: Globally Change outbound TLS version

    Posted 09-19-2017 03:32 PM

    Justus, 

     

    You would have to change this on each route via HTTP assertion, as far as I know, there is no Global change, since each route via HTTP assertion is a separate outbound connection (client - server)

    Cheers
    Kemal 



  • 5.  Re: Globally Change outbound TLS version

    Posted 09-20-2017 10:53 AM

    I am thinking there is because in one env Gateway is using TLS1.2 for all outbound evident via tcpdump and the other (the culprit) is using SSLv3. Same default settings for the routing assertion in both envs. And Gateway should default to using TLS1.2 and NOT SSLv3.

    Further, its a hassle to change in every routing assertion.



  • 6.  Re: Globally Change outbound TLS version

    Posted 09-20-2017 08:53 AM

    If I am not mistaken the following system.properties option should do the trick.

    https.protocols=

    Like,

    https.protocols=TLSv1

     

    Thanks.



  • 7.  Re: Globally Change outbound TLS version
    Best Answer

    Posted 09-20-2017 11:01 AM

    hey CHARLES

    yeah this worked for versions before 9.2

    1) Set the routing assertion version to <Any>
    2) Add a comma-separated list of tls versions to the https.protocols parameter in /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
    https.protocols=TLSv1.2,TLSv1


    Now, in 9.2 TLS default provider has changed, not sure if this is still good to go. 
    Anyway, you would still have to change each route via https assertion, TLS to 'Any'

     

    Thanks 
    Kemal



  • 8.  Re: Globally Change outbound TLS version

    Posted 11-15-2017 01:01 PM

    Justus,

     

    The options provided of changing the system.properties file is currently the only option to force just a specific protocol to be used.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 9.  Re: Globally Change outbound TLS version

    Posted 11-21-2017 09:42 AM

    Thanks Stephen