Enabling and Disabling SSL Version TLS 1.0

Use the TCPIP OPTION command to enable or disable encryption using SSL version TLS 1.0.

Payment Card Industry Data Security Standard version 3.2 (Appendix A2) recommends that, beginning June 30, 2018, older versions of “SSL and early TLS” (TLS 1.0 and TLS 1.1, which is not supported on MCP systems) are no longer used. The TLS10 TCP/IP option is a system-wide option that, if disabled, rejects all SSL-encrypted connections that negotiate to TLS 1.0. The default setting of this option is disabled, and TLS10 must be manually enabled if necessary.

Note: Use the NW TCPIP STATUS SSL inquiry to ensure that SSL encryption is enabled and to view the list of supported SSL versions and ciphers.

To enable TLS 1.0, enter the following:

NW TCPIP OPT + TLS10

To disable TLS 1.0, enter the following:

NW TCPIP OPT – TLS10

The default state of TLS 1.0 is disabled.

When TLS 1.0 is disabled, and a peer attempts to connect using TLS 1.0, the connection is aborted and the following security violation message is displayed: 

The peer at 10.0.0.23 is attempting to connect with a
version of TLS lower than TLS 1.2. All SSL/TLS versions
before TLS 1.2 will be deprecated (or were deprecated 
if after the date) on June 30, 2018. The security 
administrator can enable the TLS 1.0 protocol through 
the ODT command NW TCPIP OPT + TLS10 to allow TLS 1.0 
connections if necessary.

The following sample OPEN record displays an SSL connection configured for either TLS 1.2 or TLS 1.0: 

20:16:50 OPEN 2618  EXT NAME: TCPSOCKET000002
                    INT NAME: "SSLCooP_Port”.
                    YOURHOSTNAME: USTRMCP0097  UDI “000000000005”  SERVICE: TCPIP Native Service
                                               PDI “003002000048” YOURNAME: 1443
                    MYUSERCODE:                                                   MYNAME: 62942
                    MY IP ADDRESS: 192.62.159.64                         YOUR IP ADDRESS: 192.62.159.97
                    PROVIDERGROUP: NONE SPECIFIED,                     PROVIDER SELECTED: TCPIP SUBFILE INDEX 0
                    TIMELIMIT: NONE SPECIFIED, INIT PRIMITIVE: OPEN                KIND = SSLCOOP PORT
                    OPEN RECEIVED AT 10/01/2016, 20:16:49                      OPENED AT 10/07/2016, 20:16:50
                    AVAILABLEONLY: FALSE                                DIRECTORY IGNORE: FALSE
                    USAGE = I/O                                                OPENTYPE = DONTWAIT
                    SSL VERSION = TLS 1.2 SSL CIPHER SUITE = TLS_RSA_WITH_AES_256_CBC_SHA
                    SSL RESUMABLE = NO
Prev  Up  Next
Enabling and Disabling SSL  Home  Enabling and Disabling TLS 1.0 Chained Certificates