Ssl/Tls Settings - D-Link NetDefendOS User Manual

13.9. SSL/TLS Settings

These global settings affect the operation of both SSL VPN and the TLS ALG (see Section 9.7, "SSL
VPN" and Section 6.2.11, "The TLS ALG").
Min SSL Version
This selects the version of SSL that NetDefendOS will support. The options are the following:
• TLSv1.0 - Either TLS version 1.0 or 1.2 is acceptable.
• TLSv1.2- Only TLS version 1.2 is acceptable.
NetDefendOS provides support for TLS version 1.2 as defined by RFC 5246. TLS version 1.1 is not
supported.
Default: TLSv1.2
SSL Processing Priority
The maximum amount of CPU resources that SSL processing is allowed to use for opening new
SSL connections. This setting affects all NetDefendOS subsystems that make use of SSL
processing.
If the proportion of CPU time allocated is not sufficient then some SSL connection setups may fail
under a heavy SSL load and the following log message will be seen:
SSL Handshake: Disallow ClientKeyExchange. Closing down SSL connection
The solution to the problem is to increase the maximum CPU resources available from the
default setting of Normal (about 17%) up to either High (about 25%) or Very High (about 50%).
However, a higher CPU allocation may adversely effect the responsiveness of other NetDefendOS
subsystems.
Lowering the priority is not normally needed unless there is a reason to reduce the CPU time
allocated to SSL connection setup.
Default: Normal (about 17%)
Recommended SSL/TLS Cipher Suites
The following cipher-suites are the recommended suites to use because of their security.
TLS RSA WITH AES 256 CBC SHA256
Enable cipher TLS_RSA_WITH_AES_256_CBC_SHA256.
Default: Enabled
TLS RSA WITH AES 256 CBC SHA1
Enable cipher TLS_RSA_WITH_AES_256_CBC_SHA1.
Default: Enabled
872
Chapter 13: Advanced Settings