Helix Core Server Administrator Guide: Fundamentals (2019.1)

SSL and TLS Protocol Versions

By default, new clients connecting to new servers use TLSv1.2.

Clients and servers choose the highest TLS version supported by both ends of the connection.

TLSv1.1 and TLSv1.0 are also supported.

Two server configurables restrict the allowed TLS versions when a new client connects to a new server:

ssl.tls.version.min [default=10]

ssl.tls.version.max [default=12]

Each of these configurables can take one of the following values:

10 specifies TLSv1.0

11 specifies TLSv1.1

12 specifies TLSv1.2

  • ssl.tls.version.min configurable specifies the lowest TLS version that will be accepted
  • ssl.tls.version.max specifies the highest TLS version that will be accepted.
Important

After you change the value of these configurables, you must explicitly "stop" the server.

p4 admin restart is NOT sufficient.

The change takes effect after a complete "stop" and start.

To force the use of TLSv1.1, set

ssl.tls.version.min=11
ssl.tls.version.max=11

To force the use of TLSv1.2, set

ssl.tls.version.min=12
ssl.tls.version.max=12

To allow TLSv1.1 or TLSv1.2, but exclude TLSv1.0, set

ssl.tls.version.min=11
ssl.tls.version.max=12

These configurables can also be used by clients for testing purposes or to prevent connecting to servers below a minimum version.

Values of either configurable outside of the legal range will be treated as if they were pinned to the nearest end of the range. Thus values below 10 will be treated as 10, and values above 12 will be treated as 12.