The following sections describe and show examples to common protocol-level TLS settings.
There are different and sometimes incompatible releases of the TLS protocol. TLS protocols can be set via the ClientSSLOptions and ServerSSLOptions classes, enabling all supported protocols by default. Set the appropriate 'disable_tls*' parameters to disable the selected TLS protocols. Zorp currently supports the TLS v1, TLS v1.1, TLS v1.2 and TLS v1.3 protocols.
| Example 3.2. Disabling specific TLS protocols |
|---|
|
The following example disables the TLSv1 protocol on the client and the server side. EncryptionPolicy(
name="MyTLSEncryption",
encryption=TwoSidedEncryption(
client_verify=None,
server_verify=ServerCertificateVerifier(
ca_directory="/etc/ca.d/certs/",
crl_directory="/etc/ca.d/crls/",
)
client_ssl_options=ServerSSLOptions(disable_tlsv1=TRUE),
server_ssl_options=ServerSSLOptions(disable_tlsv1=TRUE),
)
)
|
The cipher algorithms used for key exchange and mass symmetric encryption are specified by the cipher attribute of the class referred in the client_ssl_options or server_ssl_options of the Encryption policy. These attributes contain a cipher specification as specified by the OpenSSL manuals, see the manual page ciphers(ssl) for further details.
The default set of ciphers can be set by using the following predefined variables.
| Name | Value |
|---|---|
| SSL_CIPHERS_HIGH | n/a |
| SSL_CIPHERS_MEDIUM | n/a |
| SSL_CIPHERS_LOW | n/a |
| SSL_CIPHERS_ALL | n/a |
| SSL_CIPHERS_CUSTOM | n/a |
Table 3.3. Constants for cipher selection
Cipher specifications as defined above are sorted by key length. The cipher providing the best key length will be the most preferred.
Published on March 04, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu
