Specifying TLS/SSL Minimum Allowed Version and Ciphers

Depending on your cluster configuration and the security practices in your organization, you might need to restrict the allowed versions of TLS/SSL used by Key Trustee Server. Older TLS/SSL versions might have vulnerabilities or lack certain features.

Specify one of the following values using the Minimum TLS Support configuration setting:

tlsv1: Allow any TLS version of 1.0 or higher. This setting is the default when TLS/SSL is enabled.
tlsv1.1: Allow any TLS version of 1.1 or higher.
tlsv1.2: Allow any TLS version of 1.2 or higher.

note

The pyOpenSSL version on the Key Trustee Server cluster should be updated to 16.2 before changing the TLS version to 1.2. If pyOpenSSL is not updated, then the following error appears when the Key Trustee Server service attempts to restart:

keytrustee-server: Error in setting the protocol to the value TLSv1.2.
This usually means there is no support for the entered value.
Python Error: 'module' object has no attribute 'OP_NO_TLSv1_1"

Along with specifying the version, you can also specify the allowed set of TLS ciphers using the Supported Cipher Configuration for SSL configuration setting. The argument to this option is a list of keywords, separated by colons, commas, or spaces, and optionally including other notation.

AES256:CAMELLIA256-SHA

By default, the cipher list is empty, and Key Trustee Server uses the default cipher list for the underlying platform. See the output of man ciphers for the full set of keywords and notation allowed in the argument string.