Configuring cryptographic protocols for outbound communication

Description

It is possible to modify the list of cryptographic protocols for encrypted outbound communication used by the following subsystems:

  • Terminal Server

  • FlexiSpooler

  • Mobile Print Server

For each of these subsystems there exists a configuration property, where you can specify the list of the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol versions to be supported. To change the setting, in YSoft SafeQ management interface go to the System settings (Expert options) and search for the properties securityProtocolTypesForOutboundCommunication (Terminal Server), fspHttpsSecurityProtocols (FlexiSpooler) and mpsHttpsSecurityProtocols (Mobile Print Server).

The subsystems can be set to use the following versions of the SSL/TLS protocol: SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. If any of the versions is not present in the list, the corresponding subsystem will not connect to the servers or terminals that only support the removed versions.

In case secure Http communication is enabled, t he fspHttpsSecurityProtocols parameter is applied to IPPS communication to a printer and to communication from FSP in nonspooling client mode to FSP in server spooling mode.The specified protocols are used in SSL/TLS handshake from the client side of the outbound communication.

The system property mpsHttpsSecurityProtocols applies for all outbound connections from the YSoft SafeQ Mobile Print Server: HTTP with the YSoft SafeQ FleixSpooler, SMTP, POP3, IMAP and EWS with the mail server.

For the secure communication with the Konica Minolta devices (and also Konica Minolta branded devices Olivetti and Develop), the SSL/TLS protocol versions supported depend also on the OpenAPI SDK used. By default, the newer version, 4-13a is enabled, what means support of .NET 4.5 or higher. To use lower versions the configuration property kmOpenApiVersion needs to be set to 4-2.

The subsystem has to be restarted once the property is modified.

In order to work properly, the list must contain the consecutive versions. I.e. specification of only one version is correct, SSL 3.0 + TLS 1.0 or TLS 1.0 + TLS 1.1 + TLS 1.2 are both the correct lists, but TLS 1.0 + TLS 1.2 is not.

In case the list is empty, the supported protocols are dependent on the used .NET version. In .NET 4.5 the only SSL/TLS protocol versions supported are SSL 3.0 and TLS 1.0. In .NET 4.6 and above, also TLS 1.1 and TLS 1.2 are enabled by default.

Protocols and algorithms not enabled in the underlying operating system cannot be used. The SSL/TLS protocol versions supported by the subsystems are the interception of the versions specified in the aforementioned properties and the settings in the OS.