Set preference for TLS 1.2 while leavin TLS 1.1 available

  • 80 Views
  • Last Post 3 weeks ago
BrianB posted this 3 weeks ago

P {margin-top:0;margin-bottom:0;}

All:


We have a need to identify applications that are using the TLS 1.0 and 1.1 protocol for secure LDAP so that we can approach the owner to update or upgrade and force 1.2. I would like to set up TLS 1.2 are the preferred protocol without disabling the others audit the SCHANNEL connections lookin for the lower versions. 


I know this is negotiated, but where the client supports all versions, I want to make sure they choose 1.2 above 1.1 or 1.0. Is there a way to set this up in that fashion? Can the order be changed so that when negotiated and if the client supports the stronger version, it is chosen over the less secure versions. 


Brian B. 


 

kebabfest posted this 3 weeks ago

It is opportuntistic in that of you have set for all it goes for the highest first and Works down e.g. TLS 1.2,1.1 etc.The higher the version the more secure the encryption cipier which is used. When speaking to the application owner it is advisable to work out the encryption cipier used. You could be Lucky and find out the cipier they use is comptabile with 1.2. If so then the move could be relatively painless.However legacy apps probably have old ciphers which wont work on 1.2.I am no expert in this, but this is the type of thing i have had to deal with in the last couple of weeks. 
On Wed 27 Feb 2019, 18:49 Brian Britt, <brianbritt@xxxxxxxxxxxxxxxx> wrote:

All:


We have a need to identify applications that are using the TLS 1.0 and 1.1 protocol for secure LDAP so that we can approach the owner to update or upgrade and force 1.2. I would like to set up TLS 1.2 are the preferred protocol without disabling the others audit the SCHANNEL connections lookin for the lower versions. 


I know this is negotiated, but where the client supports all versions, I want to make sure they choose 1.2 above 1.1 or 1.0. Is there a way to set this up in that fashion? Can the order be changed so that when negotiated and if the client supports the stronger version, it is chosen over the less secure versions. 


Brian B. 


Close