Selecting Ciphers

To protect the security of the Proxy Server, you should enable SSL. You can enable the SSL 2.0, SSL 3.0, and TLS encryption protocols and select the various cipher suites. The SSL and TLS protocols can be enabled on the listen socket for the Administration Server. Enabling SSL and TLS on a listen socket for the Server Manager sets those security preferences for specific server instances. At least one certificate must be installed.

Enabling SSL on a listen socket applies only when the Proxy Server is configured to perform reverse proxying.

The default settings allow the most commonly used ciphers. Unless you have a compelling reason for not using a specific cipher suite, you should select them all.

The default and recommended setting for TLS Rollback is Enabled. This setting configures the server to detect “man-in-the-middle version rollback” attack attempts. Setting TLS Rollback to Disabled might be required for interoperability with some clients that incorrectly implement the TLS specification.

Disabling TLS Rollback leaves connections vulnerable to version rollback attacks. Version rollback attacks are a mechanism by which a third party can force a client and server to communicate using an older, less secure protocol such as SSL 2.0. Because SSL 2.0 protocol has known deficiencies, failing to detect “version rollback” attack attempts makes intercepting and decrypting encrypted connections easier for a third party.