Solved: How to enable TLS 1.2 protocol (and suppress SSLv3...

Report Inappropriate Content · 09-08-2015 03:49 AM

How to specify the Protocol list as part of the SSLInfo in the target endpoint element ?

Report Inappropriate Content

You can specify the Protocol list as part of the SSLInfo in the target endpoint element

For example :-

<HTTPTargetConnection>
    <URL>https://foo.com</URL>
    <SSLInfo>
        <Protocols>
            <Protocol>TLSv1.2</Protocol>
        </Protocols>
    </SSLInfo>
</HTTPTargetConnection>

The protocol definition in the <HTTPTargetConnection> will allow only TLS1.2 protocol to work.

View solution in original post

Report Inappropriate Content

You can specify the Protocol list as part of the SSLInfo in the target endpoint element

For example :-

<HTTPTargetConnection>
    <URL>https://foo.com</URL>
    <SSLInfo>
        <Protocols>
            <Protocol>TLSv1.2</Protocol>
        </Protocols>
    </SSLInfo>
</HTTPTargetConnection>

The protocol definition in the <HTTPTargetConnection> will allow only TLS1.2 protocol to work.

divyaachan

@Madhumita Kumari The answer above is missing the Enabled attribute

<HTTPTargetConnection>
    <URL>https://foo.com</URL>
    <SSLInfo>
    <Enabled>true</Enabled>
        <Protocols>
            <Protocol>TLSv1.2</Protocol>
        </Protocols>
    </SSLInfo>
</HTTPTargetConnection>

Report Inappropriate Content

Thanks for correcting @Divya Achan

Report Inappropriate Content

see @Divya Achan comment (this is necessary) Do note: this will only impact the outbound connection specified -it wont impact "all outbound" connections.

asribalaji

For NodeJS related target end points, should include the secureProtocol option in the nodejs script as shown below,

function handleRequest(req, resp) {
  var conn = tls.connect({
    host: host,
    port: port,
    rejectUnauthorized: false,
    secureProtocol: 'TLSv1.2',
  }

enrique_melgare

and for the JS httpClient?

rovyas

@Madhumita Kumari @sribalaji

How can I enable TLSv1.2 using plane JS

Report Inappropriate Content

Hello - how would the configuration change if we were accessing the Edge instance on the public cloud?

divyaachan

If you are on public cloud, by default TLS 1.2 is enabled so there is no need to mention it explicitly in the Target Endpoint configuration

Report Inappropriate Content

Thanks for your response @divyaachan. If it is enabled by default, is there a way to suppress older versions of TLS (i.e, v1.0, v1.1)?

divyaachan

When TLS 1.2 is enabled by default, that is the protocol that is used for outbound communication. IF you have to use older versions of TLS, then you'll have to explicitly mention in the Target configuration

Report Inappropriate Content

Do you know how to block on inbound connections on Edge?

divyaachan

@Kailash Nagarajan would request you to please open a seperate question regarding inbound connections so that its searchable by everyone and can benefit from the answer

Report Inappropriate Content

Done Divya, it can be found i nthe link - https://community.apigee.com/questions/57132/explicitly-supress-tlsv10-tlsv11-on-edge-on-public.html

How to enable TLS 1.2 protocol (and suppress SSLv3, TLS1 and TLS1.1) for all outbound connections ?