The following table shows which TLS versions are available and enabled by default for front-side connections for the corresponding Airlock WAF version.
Airlock WAF version | Available TLS version | Enabled TLS version by default |
7.2 and newer |
TLS 1.3 SSLv3* |
TLS 1.3 TLS 1.2 |
7.1 |
TLS 1.2 SSLv3 |
TLS 1.2 TLS 1.1
|
7.0 |
TLS 1.2 SSLv3 |
TLS 1.2 TLS 1.1 TLS 1.0
|
*SSLv3 will probably no longer be available in further Airlock WAF releases.
Note that by using an HSM with Airlock WAF, the available and enabled TLS protocols can be different from the table above.
We recommend to use the default TLS settings of Airlock WAF for an optimal balance between security and compatibility.
With Airlock WAF 7.2 and higher, older TLS protocol versions like TLS 1.0 and TLS 1.1 as well as weaker TLS cipher suites without forward-secrecy support can be enabled in the Configuration Center using the checkbox "Allow low strength ciphers" on the corresponding virtual host.
To enable TLS 1.0 and TLS 1.1 on Airlock WAF before 7.2, the following Apache Expert Setting can be set globally or on virtual hosts:
SSLProtocol ALL -SSLv3
Due to restrictions in Apache HTTP Server, the setting does not work on virtual hosts if: