SSL/TLS Settings

These settings configure the server policies regarding SSL/TLS communication and certificate trust.

SSL/TLS Version

Key name in the configuration file: tlsSettingsProtocol

Value type: String

Possible values: SSL, SSLv2, SSLv3, TLS, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

Default value: TLS

Specifies the minimum version of the SSL/TLS protocol to be used for secure communication.

Certificate Trust Policy

Key name in the configuration file: tlsSettingsCertificateTrustPolicy

Value type: Integer

Possible values:

  • 0: Trust all certificates (Danger! Extremely insecure. Avoid except in tightly controlled testing environments.)

  • 1: Trust self-signed active non-expired certificates (Use with extreme caution, primarily for testing or very isolated internal systems.)

  • 2: Trust certificates verified via default certification authorities (System's built-in trusted CAs).

  • 3: Trust certificates verified via locally defined certification authorities (Custom CAs added to the system).

  • 4: Trust certificates verified via default and locally defined certification authorities.

Default value: 4

Defines how to verify the authenticity of certificates presented during an SSL/TLS connection.

Certificate Revocation Checking

Key name in the configuration file: tlsSettingsRevocationChecking

Value type: Integer

Possible values:

  • 0: No revocation checking.

  • 1: Check revocation for certificates issued by default trusted certification authorities.

  • 2: Check revocation for certificates issued by locally defined certification authorities.

  • 3: Check revocation for certificates issued by all trusted certification authorities (both default and custom).

Default value: 1

Determines which trusted CAs have certificate revocation checking enabled.

Prefer CRLs

Key name in the configuration file: tlsSettingsRevocationPreferCrls

Value type: Boolean

Possible values: true or false

Default value: true

If enabled, prefers Certificate Revocation Lists (CRL) as the primary method for checking certificate revocation status and Online Certificate Status Protocol (OCSP) is used as a fallback. When disabled, OCSP is the primary method, and CRL as the fallback.

Preferred Check Only

Key name in the configuration file: tlsSettingsRevocationNoFallback

Value type: Boolean

Possible values: true or false

Default value: true

Use only the preferred method of checking certificate revocation status. Disable the fallback mechanism.

Ignore Network Errors

Key name in the configuration file: tlsSettingsRevocationSoftFail

Value type: Boolean

Possible values: true or false

Default value: true

Allow revocation check to succeed if the revocation status cannot be determined for one of the following reasons:

  • The CRL or OCSP response cannot be obtained because of a network error.

  • The OCSP responder returns one of the following errors specified in section 2.3 of RFC 2560: internalError or tryLater.

End Entity Certificates Only

Key name in the configuration file: tlsSettingsRevocationOnlyEndEntity

Value type: Boolean

Possible values: true or false

Default value: false

If enabled, only check the revocation status of end-entity certificates.

Was this page helpful?