SSL Options

Use this page to set options for encryption and for authentication of online entities.

Accept all clients

Click this to allow all clients to communicate with the server without being checked for an SSL certificate.

Request client certificate, and verify if present

Click this to request the client for a certificate, and to verify the returned certificate. If the client does not return a certificate, communication continues between the client and server. If a certificate is returned and it fails to verify, communication stops.

If you check this, you must specify the CA root certificates file below.

Require client certificate and verify

Click this to always require a client certificate and to verify it. This ensures that the client is trusted. If a certificate is not returned or it cannot be verified, communication between the client and server is stopped.

If you check this, you must specify the CA root certificates file below.

CA root certificates file

This field is mandatory if you have chosen to request or require a client certificate.

Specify the path and filename of the file containing certificates of root CAs that you trust. This file must contain the CA root certificate of the CA that signed the client's certificate. For example, in the demoCA environment, this is CARootcert.pem in the private directory of the DemoCA area in the client system.

TLS honor server cipher list

Check this option to force clients to use the specified cipher list in the order of precedence listed in the server's Cipher suites field.

TLS protocols

Specifies the list of TLS protocols to be used in order of precedence listed.

Valid protocols are SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3 and TLS1.4, where TLS1.3 and TLS1.4 are placeholders to enable support for future versions. By default, only the TLS protocols are enabled. Each specified protocol is preceded by one of the following operators:

!: Exclude. Permanently exclude the protocol and ignore any subsequent attempt to add the protocol back in.
+: Add. Add the protocol to the existing collection.
-: Delete. Delete the protocol from the existing collection.

Note: You can use the special option ALL to specify all of the supported protocols. Use -ALL to empty the default options list followed by the new options you require.

For example, to only use TLS1.1 and TLS1.2, type the following:

-ALL+TLS1.1+TLS1.2

Cipher suites

Specifies the priority of cipher suites to be used.

The cipher suite priority is formed using a combination of keywords and keyword modifiers for a space-separated string:

!: Exclude. Permanently exclude the cipher suite and ignore any subsequent attempt to add the cipher suite back in.
+: Add. Add the cipher suite to the end of the collection.
-: Delete. Delete the cipher suite from the existing collection.

For example, to use only high security ciphers ordered by strength and then speed, excluding all others, type the following:

kEECDH+ECDSA kEECDH kEDH HIGH +SHA !RC4 !aNULL !eNULL !MEDIUM !LOW !3DES !MD5 !EXP

To determine the cipher suites supported by your version of OpenSSL, type the following from a command prompt:

openssl ciphers -v 'ALL:COMPLEMENTOFALL'

See Configuring a Cipher Suites List in the product Help for more information.

For additional information on cipher suite configuration please refer to the OpenSSL documentation, click here.