Set preference for TLS 1.2 while leavin TLS 1.1 available

  • 182 Views
  • Last Post 27 February 2019
BrianB posted this 27 February 2019

P {margin-top:0;margin-bottom:0;}

All:


We have a need to identify applications that are using the TLS 1.0 and 1.1 protocol for secure LDAP so that we can approach the owner to update or upgrade and force 1.2. I would like to set up TLS 1.2 are the preferred protocol without disabling the others audit the SCHANNEL connections lookin for the lower versions. 


I know this is negotiated, but where the client supports all versions, I want to make sure they choose 1.2 above 1.1 or 1.0. Is there a way to set this up in that fashion? Can the order be changed so that when negotiated and if the client supports the stronger version, it is chosen over the less secure versions. 


Brian B. 


 

kebabfest posted this 27 February 2019

It is opportuntistic in that of you have set for all it goes for the highest first and Works down e.g. TLS 1.2,1.1 etc.The higher the version the more secure the encryption cipier which is used. When speaking to the application owner it is advisable to work out the encryption cipier used. You could be Lucky and find out the cipier they use is comptabile with 1.2. If so then the move could be relatively painless.However legacy apps probably have old ciphers which wont work on 1.2.I am no expert in this, but this is the type of thing i have had to deal with in the last couple of weeks. 
On Wed 27 Feb 2019, 18:49 Brian Britt, <brianbritt@xxxxxxxxxxxxxxxx> wrote:

All:


We have a need to identify applications that are using the TLS 1.0 and 1.1 protocol for secure LDAP so that we can approach the owner to update or upgrade and force 1.2. I would like to set up TLS 1.2 are the preferred protocol without disabling the others audit the SCHANNEL connections lookin for the lower versions. 


I know this is negotiated, but where the client supports all versions, I want to make sure they choose 1.2 above 1.1 or 1.0. Is there a way to set this up in that fashion? Can the order be changed so that when negotiated and if the client supports the stronger version, it is chosen over the less secure versions. 


Brian B. 


Close