Supported SSL/TLS versions

The following table shows which SSL/TLS versions are available and enabled by default for front-side connections for the corresponding gateway version.

Gateway version

Available TLS version

Enabled TLS version by default

Airlock Gateway 8.0 and higher

TLS 1.3

TLS 1.2

TLS 1.1

TLS 1.0

TLS 1.3

TLS 1.2

Note that by using a hardware security module (HSM) with Airlock Gateway, the number of available TLS protocols can be lower, compared to the table above. SSLv3 is unsupported by Airlock Gateway 8.0 and higher (configuration activation fails). If you use custom settings, you will also not automatically benefit from optimizations in future Airlock Gateway updates.

We recommend using the default TLS settings of Airlock Gateway for an optimal balance between security and compatibility.

How to enable TLS 1.0/1.1

TLS 1.0 and TLS 1.1 is no longer recommended for production (see RFC8996 - Deprecating TLS 1.0 and TLS 1.1) use but can still be activated as follows.

  1. Go to:
    Virtual host detail page, Tab – SSL
  2. Set SSL protocol to Custom mode with the following settings:
  3. copy
    all +TLSv1 +TLSv1.1
  4. Set Cipher suite to Custom mode and insert the ciphers required by the legacy application. See also Mozilla security recommendations for TLS ciphers for best practice information.
  5. For example:

    Show moreShow lesscopy
    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHAEC:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:PSK-AES128-CBC-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA