Tech Tip – Does Policy server supports TLS v1.1/TLS v1.2 protocol for LDAP connectivity with Policy Store/User Store


Customer wants to disable SSL protocol and enable TLS v1.1/ TLS v1.2 for Policy server connection with LDAP Policy store/User Store.


Does Policy server supports TLS v1.1/ TLS v1.2 protocol for LDAP connectivity with Policy Store/User Store?


Policy Server Version : R12.0SP3 and above


What determines the Policy Server supportability to various SSL/TLS protocols with respect to LDAP connection?

The Policy Server uses a Mozilla LDAP SDK to communicate with LDAP directories (Policy store/User Store etc.)

These libraries are deployed under Policy server bin folder. The main library being Network Security Services Base Library : nss3.dll (windows)/ (Unix)

So,  support for different security protocol SSL/TLS 1.0/1.1/1.2 etc primarily depends on whether the bundled NSS library support it or not.

Support for TLS v 1.1  (RFC 4346) is available from NSS 3.14

Support for TLS v 1.2 (RFC 5246) is available from NSS 3.15.1


Does Policy server supports TLSv1.2 protocol for LDAP connectivity with Policy Store/User Store?

As seen above , this depends on the version of the NSS libraries shipped. Now let’s look at the NSS libraries version shipped with different Policy server version

  • R12.SP3CR12  = NSS
  • R12.51CR6 onwards until CR10 = NSS
  • R12.52SP1 CR7 onwards = NSS 3.28.1
  • R12.52SP2 until CR1  = NSS
  • R12.6 = NSS 3.20


  • R12.0SP3CR12 doesn’t have support for TLS protocol. It supports only SSL.
  • R12.51CR6 onwards , we have support for TLS but only upto TLS v1.0 ( due to some internal limitation we don’t support TLS v1.1). However, you can request a NIN for this as we have already certified NSS 3.30.2 libraries for this release (CA only refer: DE300577)
  • R12.52SP1 CR7 onwards we have support for both TLS v1.1 & TLS v1.2
  • R12.52SP2 until CR1 doesn’t have support for TLS v1.1 & TLSV v1.2 (Open support ticket if you need a NIN for this release)
  • R12.6 onwards we have support for both TLS v1.1 & TLS v1.2
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Leave a Reply

Your email address will not be published.