TLS function negotiation

TLS protocols enable the TLS client and TLS server to negotiate additional functionality for a connection. If either the TLS client or TLS server does not understand a function, the function is not used on the connection. However, the TLS client or TLS server might require that the function be supported by the remote partner. If the remote partner does not support the function, the connection can be closed. Each function can be configured as Required, Optional, or Off.
  • Required

    The connection ends if the remote endpoint does not accept the TLS function.

  • Optional

    The function is negotiated on the connection, but the connection does not end if the remote partner does not support the function.

  • Off

    The function is not supported on the connection. If the remote partner requires this function, the remote partner closes this connection.

Guideline: For TLS servers, configure the functions as Optional to prevent remote partners that require this extension from being unable to connect.
Parent topic: Additional security customization considerations