SSL and TLS Protocol Versions
By default, new clients connecting to new servers use TLSv1.2.
Clients and servers choose the highest TLS version supported by both ends of the connection.
TLSv1.1 and TLSv1.0 are also supported.
Two server configurables restrict the allowed TLS versions when a new client connects to a new server:
ssl.tls.version.min [default=10]
ssl.tls.version.max [default=12]
Each of these configurables can take one of the following values:
10 specifies TLSv1.0
11 specifies TLSv1.1
12 specifies TLSv1.2
- ssl.tls.version.min configurable specifies the lowest TLS version that will be accepted
- ssl.tls.version.max specifies the highest TLS version that will be accepted.
After you change the value of these configurables, you must explicitly "stop" the server.
p4 admin restart is NOT sufficient.
The change takes effect after a complete "stop" and start.
- For UNIX, see Stopping the Helix server and Starting the Helix server.
- For Windows, see Starting and stopping the Perforce service.
To force the use of TLSv1.1, set
ssl.tls.version.min=11 ssl.tls.version.max=11
To force the use of TLSv1.2, set
ssl.tls.version.min=12 ssl.tls.version.max=12
To allow TLSv1.1 or TLSv1.2, but exclude TLSv1.0, set
ssl.tls.version.min=11 ssl.tls.version.max=12
These configurables can also be used by clients for testing purposes or to prevent connecting to servers below a minimum version.
Values of either configurable outside of the legal range will be treated as if they were pinned to the nearest end of the range. Thus values below 10 will be treated as 10, and values above 12 will be treated as 12.