SSLHIDELEGACYTLS

The SSLHIDELEGACYTLS option specifies whether to restrict the availability of Transport Layer Security (TLS) 1.1 and earlier protocols for Secure Sockets Layer (SSL) ports on which the server or storage agent listens.

You can use this option to ensure that failures to use TLS 1.1 and earlier protocols for connections are not logged as errors. By using the option, you can also determine whether any clients are not configured for using TLS 1.2.

This option is useful in scenarios such as the following one:
  1. You want to restrict secure communications to use TLS 1.2. In this way, you prevent the use of previous TLS protocol levels, which are less secure. To restrict communications to TLS 1.2, you specify a value of YES for the SSLDISABLELEGACYTLS option.
  2. To ensure that failures to use earlier protocols are not logged as errors, you specify YES for the SSLHIDELEGACYTLS option.
Restriction: The SSLHIDELEGACYTLS option applies only if you specify YES for the SSLDISABLELEGACYTLS option.

Syntax

Read syntax diagramSkip visual syntax diagram
   .-SSLHIDELEGACYTLS--No------.   
>>-+---------------------------+-------------------------------><
   '-SSLHIDELEGACYTLS--+-No--+-'   
                       '-Yes-'     

Parameters

Yes
Servers and storage agents preclude the use of TLS 1.1 or earlier protocols for SSL ports. Failed attempts to use TLS 1.1 or earlier protocols do not generate error messages in the activity log.
No
Servers and storage agents detect TLS 1.1 or earlier protocols for SSL ports, even if sessions that use those protocols are disabled. This is the default setting.

Example

Specify that servers and storage agents do not detect TLS 1.1 or earlier protocols for SSL ports:

ssldisablelegacytls yes
sslhidelegacytls yes
Related reference:
SSLDISABLELEGACYTLS