Enabling TLS/SSL Connection Downgrades on Message VPNs

If you want client connections to use TLS/SSL encryption to protect the client credentials, but for performance reasons you do not want to encrypt the data that is transmitted after clients are authenticated and authorized, you can use the TLS/SSL client connection downgrade option.

The TLS/SSL client connection downgrade option allows connecting clients to request to downgrade their TLS/SSL connections to a Message VPN to plaintext connection. In this case, after the client login handshake is finished, the connection is downgraded. This means that client authentication data is still encrypted, but the subsequent application data that is transmitted is sent as non-encrypted plaintext.

To allow TLS/SSLclient connection downgrades on the given Message VPN, enter the following commands:

solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)#ssl
solace(configure/message-vpn/ssl)# allow-downgrade-to-plain-text

The no version, no allow-downgrade-to-plain-text, disables support for TLS/SSL connection downgrades on the given Message VPN. By default, TLS connection downgrades are not allowed.

Provide feedback