Configuring a TLS Protocols List

The TLS protocols field enables you to specify the list of protocols to be used and the order of preference in which they are to be used. The TLS protocols field has the following default state:

Protocol Default state
SSL2 Disabled (permanently)
SSL3 Disabled
TLS1 Enabled
TLS1.1 Enabled
TLS1.2 Enabled

You can use the following protocol options when configuring the TLS protocols field:

Option Note
ALL All the protocols listed here.
SSL2 Supported to match syntax in Apache. SSL2 is always disabled.
SSL3
TLS1 TLS 1.0
TLS1.1
TLS1.2
TLS1.3 Provided for future compatibility.1
TLS1.4 Provided for future compatibility.1
Note: 1 The TLS1.3 and TLS1.4 options are provided to support future compatibility.

Each option must be preceded by an operator with the exception of the special option ALL. The following is a list of valid operators:

!
Exclude. Permanently excludes the following option and ignores any subsequent attempt to add an option back in.
+
Add. Adds the following option to the existing protocol list.
-
Delete. Delete the following option. This option can be added again if it is found at a subsequent point.

This is the same syntax used in Apache configurations. You can copy configurations from Apache installations to use in Visual COBOL with little need for modifications.

There are several different ways to insert protocol definitions into each connection definition making these options additive.

To remove SSL3 from the default list while keeping the remaining default options you can add -SSL3 to the SSL protocol list.

To ensure that all default options are removed from the TLS protocols list you must specify -ALL at the start of each string. You can then specify a new string of options by adding them after the -ALL option.

Example TLS protocols options:

TLS protocols Description
ALL Use the whole collection supported by the underlying security module.
-ALL Clear all protocols. This option precedes any new definitive list, for example, see the following two rows.
-ALL+TLS1.1+TLS1.2 Only use TLS1.1 and TLS1.2.
-ALL-TLS1.1+TLS1.1+TLS1.2 Only use TLS1.1 and TLS1.2.
-ALL+TLS1.1 +TLS1.2-TLS1.2 Only use TLS1.1.
!ALL This is syntactically correct but logically it is undesirable as it permanently removes all protocols. Its use results in an error state that prevents a client or server from starting.
Note:
  • A zero-length TLS protocols field string does not result in any change to the default behavior.
  • A TLS protocols field string which only contains a space character does not result in any change to the default behavior.
  • Space and tab characters within the string are ignored, other characters result in an error condition (0089).