You are here
TLS Versions
Last update on 1. December 2020 - 11:19.
The following table shows which TLS versions are available and enabled by default for front-side connections for the corresponding Airlock WAF version.
| Airlock WAF version | Available TLS version | Enabled TLS version by default |
|
7.2 and newer |
TLS 1.3 SSLv3* |
TLS 1.3 TLS 1.2 |
| 7.1 |
TLS 1.2 SSLv3 |
TLS 1.2 TLS 1.1
|
| 7.0 |
TLS 1.2 SSLv3 |
TLS 1.2 TLS 1.1 TLS 1.0
|
*SSLv3 will probably no longer be available in further Airlock WAF releases.
Note that by using an HSM with Airlock WAF, the available and enabled TLS protocols can be different from the table above.
We recommend to use the default TLS settings of Airlock WAF for an optimal balance between security and compatibility.
With Airlock WAF 7.2 and higher, older TLS protocol versions like TLS 1.0 and TLS 1.1 as well as weaker TLS cipher suites without forward-secrecy support can be enabled in the Configuration Center using the checkbox "Allow low strength ciphers" on the corresponding virtual host.
To enable TLS 1.0 and TLS 1.1 on Airlock WAF before 7.2, the following Apache Expert Setting can be set globally or on virtual hosts:
SSLProtocol ALL -SSLv3
Due to restrictions in Apache HTTP Server, the setting does not work on virtual hosts if:
- "Strictly match FQDN and aliases" is set on the virtual host.
- The same IP is shared among other virtual hosts. In this case the Apache Expert Setting must be set on all virtual hosts sharing the same IP.