Skip to main content


tls_protocols — allowable ciphers for TLS inbound and outbound sessions


tls_protocols = "+<baseprotocol>[:[+|-]<additional protocols]"


tls_protocols specifies the allowable protocols for an OpenSSL TLS session. The available protocols are ALL, SSLv2, SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2. Each set can be enabled or disabled by prefixing its name with a “+” or “-“ respectively. For example, to enable all protocols except SSLv3, the setting “:ALL:-SSLv3” would be applied. Protocol strings should be separated from one another with a colon.

This option has no meaning for GNUTLS.

**Configuration Change. ** This option is available as of version 3.6.6.

The default value is “+ALL”.


In Centos/RHEL 5, which are typically shipped with OpenSSL 0.98, TLSv1.1 and TLSv1.2 are not available.


tls_ciphers is valid in the binding, binding_group, domain, ecstream_listener, esmtp_listener, global, http_listener, listen, pathway, pathway_group and peer scopes.

Was this page helpful?