Selecting Ciphers

To protect the security of your Proxy Servers, you should enable SSL. You can enable the SSL 2.0, SSL 3.0, and TLS encryption protocols and select the various cipher suites. The SSL and TLS protocols can be enabled on the listen socket for the Administration Server. Enabling SSL and TLS on a listen socket for the Server Manager sets those security preferences for specific server instances. At least one certificate must be installed.

Enabling SSL on a listen socket applies only in a reverse proxy scenario. That is, only when the Proxy Server is configured to perform reverse proxying.

The default settings allow the most commonly used ciphers. Unless you have a compelling reason for not using a specific cipher suite, you should select them all. For more information regarding specific ciphers, see Introduction to SSL.

The default and recommended setting for TLS Rollback is Enabled. This configures the server to detect man-in-the-middle version rollback attack attempts. Setting this to Disabled may be required for interoperability with some clients that incorrectly implement the TLS specification.

Note that disabling TLS Rollback leaves connections vulnerable to version rollback attacks. Version rollback attacks are a mechanism by which a third party can force a client and server to communicate using an older, less secure protocol such as SSL 2.0. Because there are known deficiencies in the SSL 2.0 protocol, failing to detect version rollback attack attempts makes it easier for a third party to intercept and decrypt encrypted connections.