Disabling TLS 1.1 and 1.2 in Portals and HTTPS Inspection

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk74000
Technical Level
Product	Security Gateway, HTTPS Inspection
Version	R75.40VS, R76
Platform / Model	All
Date Created	17-May-2012
Last Modified	19-Jun-2017

Symptoms

Starting with R75.40VS, the gateway supports newer versions of TLS 1.1 (RFC 4346) and TLS 1.2 (RFC 5246).

Solution

The new versions of TLS improve security by mitigating the BEAST attack ( http://en.wikipedia.org/wiki/BEAST_(computer_security) ) and moving to stronger hash functions.

If it's necessary to remove them, you can set the environment variable CPTLS_LEGACY_TLS10. To do this on SecurePlatform or GAIA, add the following line to file $CPDIR/conf/.CPprofile.sh:

CPTLS_LEGACY_TLS10=1 ; export CPTLS_LEGACY_TLS10

You will need to reboot after this.

NOTE: TLS 1.1 and 1.2 are supported in R75.40VS, R76 and later. They are not supported in R75.45, R75.46 and older versions.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating