Disabling SSL protocol versions for the SSL server

About disabling SSL protocol versions for the SSL server

To enhance system security, you can disable the SSL server from using specific SSL protocol versions (SSL 3.0, TLS 1.0, and TLS 1.1) for session negotiation.

Restrictions and guidelines

Disabling an SSL protocol version does not affect the availability of earlier SSL protocol versions. For example, if you execute the ssl version tls1.1 disable command, TLS 1.1 is disabled but TLS 1.0 is still available for the SSL server.

Procedure

  1. Enter system view.

    system-view

  2. Disable SSL protocol versions for the SSL server.

    In non-FIPS mode:

    ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable

    By default, the SSL server supports SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.

    In FIPS mode:

    ssl version { tls1.0 | tls1.1 } * disable

    By default, the SSL server supports TLS 1.0, TLS 1.1, and TLS 1.2.