vServer support for TLS 1.0 1.1 1.2

vmmed1 · ‎04-25-2018

What determines if a vServer listening at port 443/SSL and configured with a certificate supports TLS 1.0? Is that something endemic to the certificate itself? Or is that set elsewhere?

lhoffer · ‎04-26-2018

Assuming you're referring to virtual servers on an edge load balancer, this would be determined by the cipher(s) you select in the application profile.

As of NSX 6.2.4, SSLv3 and TLS 1.0 are both disabled by default so I usually just tell folks that if you want both TLS 1.1 and 1.2 support, you can choose the default (to enable all ciphers) or any specific ciphers you want. If, on the other hand, you want to only support 1.2, select only the ciphers that don't use SHA-1 (so select only the ciphers that end in SHA256 or SHA384). There are actually a few ECDH based ciphers in TLS 1.2 that do use SHA-1 as well so if you're interested I'd encourage you to check out the NSX-v 6.3 - Load Balancing capabilities + configuration examples (and more...) guide. This is discussed in further detail starting on slide 77.

All

vServer support for TLS 1.0 1.1 1.2