SSLDISABLELEGACYTLS

The SSLDISABLELEGACYTLS option specifies whether to use the Transport Layer Security (TLS) 1.2 or later protocol for Secure Sockets Layer (SSL) sessions. The server rejects connection attempts that use levels earlier than TLS 1.2.

Syntax


   .-SSLDISABLELEGACYTLS--No------.   
>>-+------------------------------+----------------------------><
   '-SSLDISABLELEGACYTLS--+-No--+-'   
                          '-Yes-'

Parameters

Yes

Specifies that the server uses the TLS 1.2 or later protocol for SSL sessions.

The SSLDISABLELEGACYTLS option overrides the SSLTLS12=NO option and enforces the rejection of SSL connection attempts that use levels earlier than TLS 1.2.

Requirements: Before you use TLS 1.2, ensure that the following settings are correct:

For the server and storage agent, if you use self-signed certificates, you must set the default label in the key database to "TSM Server SelfSigned SHA Key".
For backup-archive clients, if you use self-signed certificates, you must import the cert256.arm file.

No

Specifies that the server allows TLS 1.1 and earlier protocol for SSL sessions. Specify the SSLTLS12=YES option to allow the server to use TLS 1.2 in addition to earlier protocols.

If you specify the SSLTLS12=YES option and do not specify the SSLDISABLELEGACYTLS option, TLS 1.2 might be used.

Table 1. TLS versions used by the server for the SSLTLS12 and SSLDISABLELEGACYTLS options
SSLTLS12	SSLDISABLELEGACYTLS	TLS version that is used by the server
No*	No*	≤ TLS 1.1
No*	Yes	≥ TLS 1.2
Yes	No*	≤ TLS 1.2
Yes	Yes	≥ TLS 1.2
Notes: An asterisk (*) indicates the default for an option. ≤ A less than or equal symbol indicates the highest TLS version that is used by the server. ≥ A greater than or equal symbol indicates the lowest TLS version that is used by the server.

Examples

Specify that the server uses the TLS 1.2 or later protocol for SSL sessions:

ssldisablelegacytls yes

Specify that the server allows TLS 1.1 and earlier protocol for SSL sessions:

ssldisablelegacytls no