CPL policy can be created in the ProxySG in order to specify one or a selection of SSL protocols that can be allowed or denied.
This also can be done globally, or to specific URLs, IP, etc…
For example, in an end-to-end connection:
The ProxySG appliance has settings that you can configure to support SSL protocol. See the Editing an SSL Client section of the Administration Guide.
Note: The SSL Client settings are applicable when the ProxySG appliance is acting as an SSL Client by initiating its own SSL connections, for example, when acting as:
You can also specify the preferred SSL and TLS protocol versions in the proxy.
To make this change globally you can do this via CPL or from the Management Console.
To edit the SSL client from Management Console:
To edit the SSL client via CPL the syntax for this policy for the client is:
<ssl>
client.connection.negotiated_ssl_version=SSLV2,SSLV3,TLSV1,TLSV1.1,TLSV1.2
And the syntax for the server is:
<ssl>
server.connection.negotiated_ssl_version=SSLV2,SSLV3,TLSV1,TLSV1.1,TLSV1.2
To edit the SSL client for a specific URL via CPL, or any other condition, you can use the sample script:
<ssl>
url.host.substring=example.com client.connection.negotiated_ssl_version=SSLV2,SSLV3,TLSV1,TLSV1.1 deny
url.host.substring=example.com server.connection.negotiated_ssl_version=SSLV2,SSLV3,TLSV1,TLSV1.1 deny
url.host.substring=example.com client.connection.negotiated_ssl_version=TLSV1.2 allow
url.host.substring=example.com server.connection.negotiated_ssl_version=TLSV1.2 allow