Secure Sockets Layer (SSL) and the more recent Transport Layer Security (TLS) protocols are the cornerstones of Internet security, providing a standard for authenticated transactions using secure key exchange and encryption. With support for TLS 1.2, Traffic Manager provides a wider range of protocol support, including the use of stronger ciphers for authentication, allowing clients to specify which hash and signature algorithms they will accept. Traffic Manager also permits full control over the selection of security settings per virtual server, per pool, or as a global setting, to suit a range of enterprise deployment options.
However, from time to time we update the list of protocols which are supported and enabled, to reflect recommendations from NIST and other agencies about which protocols are preferred for securing web applications. For example, in Traffic Manager 9.8, we changed the default settings so that SSL v2 and v3 needed to be explicitly enabled in order to be used, and in future versions, we will remove support for these older protocols completely.
NIST publish a very useful guide to selection of TLS implementations:
IETF have also publish guidelines on recommendations for use of TLS:
SSL v2 deprecated from vTM 10.4
From Traffic Manager 10.4, SSL v2 will be available to applications, but will be deprecated: future releases of vTM will not include SSL v2 as an option. SSL v2 will be supported within the 10.4 LTS (Long Term Support) program for customers that need to continue to use SSL v2.
SSL/TLS protocol configuration
Traffic Manager allows security settings to be configured per virtual server, per pool, or even with a single global setting, depending on how you need to configure your applications. As shown in the table below, SSL v2 and v3 are disabled by default, but each of the security protocols can be enabled to suit the security profile that you need. When a client creates a connection with your application, vTM negotiates the most secure protocol which is supported by both the client, and enabled in vTM on that connection.
|
Security
Protocol
|
Enabled by Default
|
Configurable
In vTM 10.4
|
|
SSL
|
v2
|
No
|
Yes, Deprecated
|
|
SSL
|
v3
|
No
|
Yes
|
|
TLS
|
1.0
|
Yes
|
Yes
|
|
TLS
|
1.1
|
Yes
|
Yes
|
|
TLS
|
1.2
|
Yes
|
Yes
|
TLS 1.2 advantages
At the time of writing (March 2016) TLS 1.2 is the recommended security protocol for web applications, and the TLS 1.3 specification is being finalised. TLS 1.2 includes a range of improvements over the previous version, including performance enhancements using the latest AES-GCM ciphers. Be sure to check with your own local security teams as to the recommended security protocols and ciphers for your applications.
For more information:
