Advanced TLS
This topic contains additional information about TLS.
Tuning Protocol Version Availability
In release 8.5.1, as part of the transition to OpenSSL from RSA Bsafe, the behavior of the sec-protocol option has been modified. sec-protocol supports the following modes: SSLv23 (the default), SSLv3, TLSv1, TLSv11, and TLSv12.
The availability of a particular protocol setting in sec-protocol strongly depends on the actual component version. Older components may not support this option at all. No components except PSDK and the most recent Management Framework servers support the TLSv12 value.
Generally, the protocol versions currently available are as follows:
- On UNIX and Linux, TLS 1.2 is the highest available protocol with the OpenSSL Security Pack; TLS 1.1 with the RSA Security Pack.
- On Windows, TLS 1.1 and TLS 1.2 are supported starting with Microsoft Vista / Server 2008. However, in most cases these must be enabled in the registry to become available. Genesys recommends that you explicitly enable the desired protocol version in the Windows registry; refer to the Windows document TLS/SSL Settings for more information about enabling and disabling protocols in the Windows registry
The supported protocol version modes can be categorized as one of two types:
- strict mode—SSLv3, TLSv1, TLSv11, and TLSv12 are the strict protocol version modes. These settings can be used to enforce a specific protocol version. The connection will not be established if the remote server does not accept the enforced protocol version.
- compatibility mode—SSLv23, the default mode, is compatible with all modes from SSLv2 up to and including TLSv12, and will connect with the highest mode offered by the other server. If SSLv2 ciphers are explicitly specified, the SSLv2 client can connect only to servers running in SSLv23 mode. Otherwise, the SSLv2 mode is deprecated; but it is highly vulnerable and is not recommended.
Tuning Available Cipher Lists
Normally, the set of available ciphers is provided by your InfoSec, and can be configured to the preferences of the user. The cipher-list configuration option allows the supporting Genesys component to select a list of cipher suites used in TLS. This option is transferred to a third-party library and describes the set of possible cipher suites.
Cipher List Formatting Rules
Question: Do these rules and the format apply equally to Windows and *nix?
For applications using the Genesys common library (From Colin: How will the customer know if they are using an application that uses the common library?), the cipher list string is a list of cipher operations. Each operation consists of an optional operator character followed by a name. Cipher list strings must conform to the following formatting rules:
Note: Colin has many questions for these tables.
Aliases
Ciphers also have aliases. The following table details the primary cipher aliases.
Groups of commonly-used ciphers also have aliases. This enables multiple aliases to be specified easily. The following table details the cipher group aliases.
Aliases can also be joined in a colon-separated list to specify the ciphers to add, move, or delete.
Example
The following is an example of a cipher string:
!ADH:RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXPThis cipher string is interpreted in the following sequence:
- Do not consider any ciphers that do not authenticate.
- Use ciphers that use RC4 and RSA.
- Include the HIGH, MEDIUM, and LOW security ciphers.
- Add all export ciphers.
- Pull all SSLv2 and export ciphers to the end of the list.