Specifying TLS/SSL Minimum Allowed Version and Ciphers

Depending on your cluster configuration and the security practices in your organization, you might need to restrict the allowed versions of TLS/SSL used by Key Trustee Server. Older TLS/SSL versions might have vulnerabilities or lack certain features.

Specify one of the following values using the Minimum TLS Support configuration setting:

  • tlsv1: Allow any TLS version of 1.0 or higher. This setting is the default when TLS/SSL is enabled.

  • tlsv1.1: Allow any TLS version of 1.1 or higher.

  • tlsv1.2: Allow any TLS version of 1.2 or higher.

Along with specifying the version, you can also specify the allowed set of TLS ciphers using the Supported Cipher Configuration for SSL configuration setting. The argument to this option is a list of keywords, separated by colons, commas, or spaces, and optionally including other notation.
AES256:CAMELLIA256-SHA

By default, the cipher list is empty, and Key Trustee Server uses the default cipher list for the underlying platform. See the output of man ciphers for the full set of keywords and notation allowed in the argument string.