SSL and TLS Protocol Versions

By default, new clients connecting to new servers use TLSv1.2.

Clients and servers choose the highest TLS version supported by both ends of the connection.

If the "client" is not explicitly set, explicitly setting the server's ssl.tls.version.min and ssl.tls.version.max configurables will apply to "client" connections for backwards compatibility.

Server configurables

Two server configurables restrict the allowed TLS versions when a new client connects to a new server:

ssl.tls.version.min [default=10], which specifies the lowest TLS version that can be accepted.

ssl.tls.version.max [default=13], which specifies the highest TLS version that can be accepted.

Each of these configurables can take one of the following values:

13 specifies TLSv1.3

12 specifies TLSv1.2

11 specifies TLSv1.1 - not recommended

10 specifies TLSv1.0 - not recommended

Important

For security, choose a value that is at least 12.

TLS 1.3 and TLS 1.2

TLS 1.3 is faster than TLS 1.2 at file transfers, but establishing a TLS 1.3 connection requires more overhead. The higher the latency, the less the connection overhead matters. Applications that rely on many short-lived connections might give better performance with TLS 1.2 if using a TLS 1.3-enabled server, but TLS 1.3 is less vulnerable to cyber attacks.

Client configurables

The 2021.1 release introduced two corresponding configurables on the client side:

ssl.client.tls.version.min

ssl.client.tls.version.max

Highest TLS version chosen

The range of values that the client-side configurables accept might differ from the range of values that the server-side configurables accept. Clients and servers choose the highest TLS version supported by both ends of the connection.

Definition of client

These "client" and server of configurables can be used in servers, proxies, or brokers where both upstream (client-side) and downstream (server-server) connections are made. For example, in edge-to-edge chaining, one edge server acts as a "client" to another edge server. This aspect of a server as a "client" applies to other scenarios as well, such as centralized authorization server (P4AUTH), centralized changelist server (P4CHANGE), and when one server accesses a "remote depot" on another server.

Important

After you change the value of these configurables, you must explicitly "stop" the server.

p4 admin restart is NOT sufficient.

The change takes effect after a complete "stop" and start.

For UNIX, see Stop the Helix Server and Start the Helix Server.
For Windows, see Start and stop the Perforce service.

If the client-side configurables are not set

To force the use of TLSv1.3, set

ssl.tls.version.min=13
ssl.tls.version.max=13

To force the use of TLSv1.2, set

ssl.tls.version.min=12
ssl.tls.version.max=12

To allow TLSv1.2 or TLSv1.3, but exclude TLSv1.0 and TLSv1.1, set

ssl.tls.version.min=12
ssl.tls.version.max=13

These configurables can also be used by clients for testing purposes or to prevent connecting to servers below a minimum version.

On a client, to verify that TLSv1.0 does not connect:

p4 -v ssl.tls.version.min=10 -v ssl.tls.version.max=10 info

Values of either configurable outside of the legal range will be treated as if they were pinned to the nearest end of the range. Thus values below 10 will be treated as 10, and values above 13 will be treated as 13.

Warning

Do NOT set ssl.tls.version.min to a higher value than the value of ssl.tls.version.max because this would prevent clients from connecting to the server, and the client will get an error similar to this:

Perforce client error:
SSL protocol: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:

To reset the values, use the command line. For example,

p4d -r /p4/1/root -c "set ssl.tls.version.min=11"
p4d -r /p1/1/root -c "set ssl.tls.version.max=13"

and restart the server.

Broker and Proxy configuration for TLS

Configurables can be set on the Broker and Proxy by using the -v option on the command line. For example:

p4p -v ssl.client.tls.version.min=11 -v ssl.tls.version.min=12 -r /var/proxycacheroot -t ssl:serverhost:1666 -p ssl:proxyhost:1667

p4broker -v ssl.client.tls.version.min=11 -v ssl.tls.version.min=12 -c p4broker.config

The Broker can also have the configurables placed in its config file by using the debug-level option. For example:

debug-level = ssl.tls.version.min=12, ssl.tls.version.max=12;

Windows services for the Proxy can have the configurables set with P4POPTIONS:

p4 set -S "Perforce Proxy" P4POPTIONS="-v ssl ssl.client.tls.version.min=12 -v ssl.client.tls.version.max=12"

Windows services for the Broker can have the configurables set with P4BROKEROPTIONS:

p4 set -S P4Broker" P4BROKEROPTIONS="-c C:\p4broker\p4broker.conf -v ssl.client.tls.version.min=12 -v ssl.client.tls.version.max=12"

Example of an error

A failure of a connection to the server due to mismatched TLS versions between the server and the Proxy or Broker results in an error. For example:

Perforce client error:
Broker connection error: failed to connect to ssl::1666.
SSL connect to ssl::1666 failed (SSL protocol error).
Remove SSL protocol prefix from P4PORT or fix the TLS settings.
SSL protocol: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version