3.2.6. Protocol-level TLS settings

The following sections describe and show examples to common protocol-level TLS settings.

Setting the allowed TLS protocol

There are different and sometimes incompatible releases of the TLS protocol. TLS protocols can be set via the ClientSSLOptions and ServerSSLOptions classes, enabling all supported protocols by default. Set the appropriate 'disable_tls*' parameters to disable the selected TLS protocols. Application-level Gateway currently supports the TLS v1, TLS v1.1, TLS v1.2 protocols.

Example 3.2. Disabling specific TLS protocols

The following example disables the TLSv1 protocol on the client and the server side.

EncryptionPolicy(
    name="MyTLSEncryption",
    encryption=TwoSidedEncryption(
        client_verify=None,
        server_verify=ServerCertificateVerifier(
            ca_directory="/etc/ca.d/certs/",
            crl_directory="/etc/ca.d/crls/",
            )
        client_ssl_options=ServerSSLOptions(disable_proto_tlsv1=TRUE),
        server_ssl_options=ServerSSLOptions(disable_proto_tlsv1=TRUE),
            )
        )

Cipher selection

The cipher algorithms used for key exchange and mass symmetric encryption are specified by the cipher attribute of the class referred in the client_ssl_options or server_ssl_options of the Encryption policy. These attributes contain a cipher specification as specified by the OpenSSL manuals, see the manual page ciphers(ssl) for further details.

The default set of ciphers can be set by using the following predefined variables.

NameValue
SSL_CIPHERS_HIGHn/a
SSL_CIPHERS_MEDIUMn/a
SSL_CIPHERS_LOWn/a
SSL_CIPHERS_ALLn/a
SSL_CIPHERS_CUSTOMn/a

Table 3.1.  Constants for cipher selection

Cipher specifications as defined above are sorted by key length. The cipher providing the best key length will be the most preferred.