Enabling TLS/SSL Connection Downgrades on Message VPNs

If you want client connections to use TLS/SSL encryption to protect the clientsʼ credentials, but for performance reasons you do not want to encrypt the data that is transmitted after the clients are authenticated and authorized, you can use the TLS/SSL client connection downgrade option.

The TLS/SSL client connection downgrade option allows connecting clients to request to downgrade their TLS/SSL connections to a Message VPN to plain-text connection, and if that Message VPN allows TLS/SSL connection downgrades, after the clientsʼ login handshake are finished, their connections are downgraded. This means that the clientsʼ authentication data is still encrypted, but the subsequent application data that is transmitted is sent as non-encrypted plain-text.

To allow TLS/SSLclient connection downgrades on the given Message VPN, enter the following commands:

solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn/ssl)# allow-downgrade-to-plain-text

The no version, no allow-downgrade-to-plain-text, disables support for TLS/SSL connection downgrades on the given Message VPN. By default, TLS connection downgrades are not allowed.