SSL/TLS security
TLS and SSL protocols allow a client and server to establish a secure, encrypted connection over a public network. When you connect using SSL/TLS, the client (such as Reflection) authenticates the server before opening a terminal emulation session, and all data passed between the client and the host is encrypted using the selected encryption level. The following options are available:
|
None |
SSL/TLS is not used for this connection. |
|
TLS 1.2, 1.0, SSL 3.0 |
Allow connection through TLS 1.2, TLS 1.0, or SSL 3.0, depending on the capabilities of the host or server to which you are connecting. |
| TLS 1.2, 1.0 |
Select this option to connect using TLS, but not SSL. As part of the TLS protocol, the client checks the server or host name against the name on the server certificate. Therefore, TLS connections require the common name on the server certificate to match the host or security proxy server name.
TLS 1.2 support requires additional configuration by the administrator using the Administrative WebStation and PKI Services Manager.
|
| SSL 3.0 |
Select this option to connect using SSL, but not TLS. This is not recommended, but some hosts do not support TLS.
|
Certificate verification
Use Certificate verification to configure certificate
verification options such as certificate policies, CRL settings, and OCSP settings.
Note: These settings are not applicable when TLS 1.2 and PKI Services Manager support is enabled by the administrator.
Use Security Proxy
When Use security proxy is enabled,
the client connects to your host via the Security Proxy Server, which requires a separate licence. When enabled, you can use the Security Proxy to configure secure connections even if your host is not running an SSL/TLS-enabled Telnet server. To support such connections, you must install and configure the
Security Proxy server.
| Security proxy |
Specifies the host running the Security
Proxy Server. If you are creating or editing a session using the
Session Manager, all of the available security proxy servers are
listed here. |
| End to end encryption |
This option provides end to end encryption by tunneling
an SSL/TLS direct connection to the host through the Security Proxy. It
combines the authorization associated with the security proxy and the complete
SSL/TLS encryption associated with the SSL/TLS direct connection. The host must support
SSL/TLS direct connections to use this feature. |
The following settings are available only if the session has been launched from the Session Manager in the Administrative WebStation:
| Destination host |
Specify the name of the default destination host. When client
authorization is turned on (the default), each Security Proxy can connect
to multiple hosts. When client authorization is off, each Security Proxy
can connect to only one host. This remote address specifies the
host to which the Security Proxy will connect when client authorization
is off. Enter the remote address as either a host name, such
as hostname.example.com, or an IP
address, such as 123.123.100.100. If you are not connecting with the default port,
use the format Host:Port to specify an alternate port. |
| Connection details |
Connection details include a description of Security Proxy and information such
as the cipher suite used.
The status of the connection between the host and the Security Proxy server reflects whether proxy-to-host security is enabled. When checked, the option to Only display the cipher suite for connection from the client to the security proxy does not display the cipher suite used for the connection between the proxy server and the end host. When the check box is cleared, both cipher suites are displayed. Note: The check box is available only when the following settings are selected: SSL/TLS, Use the Security Proxy, and End to end encryption. |