Choose your language

Choose your login

Support

Enhance Print Deploy server security with a custom TLS setting

This page applies to:

TLS (Transport Layer Security) is a cryptographic protocol. It verifies the identity of the Print Deploy server, then determines which algorithm to use for the end-to-end security of data sent over the Internet between the Print Deploy server, Print Deploy Client and the reference computer.

The algorithm used is chosen from the CipherSuites, a list of algorithms included in each version of TLS. You can find out more about them on the TLS Parameters page .

Not all algorithms remain secure. When Print Deploy and Mobility Print were built, the default protocol version TLS v1.0 was secure, but over time in the IT world that has changed. Now, to ensure you have the level of data transfer security required for your organization, you might need to change the default.

When Print Deploy starts for the first time, it creates a default tls.conf.toml file that contains the recommended TLS settings for the server.

We recommend you determine the applicable TLS version and Cipher Suites for the server based on your organization’s environment. If you have a fleet of old computers, check that they can support the default TLS settings.

Below is the recommended configuration for the vast majority of services. It is highly secure and compatible with nearly every client released in the last five (or more) years.

MinVersion = "VersionTLS12"
CipherSuites = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384"]

Configure TLS

  1. Make sure you are on a Print Deploy server version that is greater than 1.1.956.

    Check the bottom of the Print Deploy Admin page. You cannot configure TLS on versions below this.

  2. Go to [app-path]/providers/print-deploy/win/data/config

  3. Open the tls.conf.toml file as a text file.

  4. Configure the values according to:

    • the recommended configuration shown above

    • your organization’s requirements, by adding or removing values.

      • To add a cipher, type a comma after the last cipher and be sure to use quotation marks around the string. For example, [… “TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305”,“TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA”].

      • To remove a default cipher, remove the string and its comma.

Valid MinVersion and CipherSuites values

The table below shows a list of the valid values.

  • If there is an unrecognized value in either MinVersion and CipherSuites, the server will stop running immediately and log the error in the config file indicating which value is unrecognized.

  • If CipherSuites is null, Print Deploy will use a default list of secure cipher suites. The order of use is determined automatically.

KeyDescriptionValid valuesDefault
MinVersionThe minimum TLS version accepted by the server"VersionTLS10"
"VersionTLS11"
"VersionTLS12"
"VersionTLS13"
"VersionTLS12"
CipherSuitesThe supported cipher suites for TLS versions up to TLS 1.3.// The cipher suites in this section are only supported for TLS1.3.

"TLS_AES_128_GCM_SHA256"
"TLS_AES_256_GCM_SHA384"
"TLS_CHACHA20_POLY1305_SHA256"
["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
"TLS_RSA_WITH_AES_128_GCM_SHA256"
"TLS_RSA_WITH_AES_256_GCM_SHA384"]
  The cipher suites in this section are only supported from TLS1.0 to TLS1.2.

"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
"TLS_RSA_WITH_AES_128_CBC_SHA"
"TLS_RSA_WITH_AES_256_CBC_SHA"
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
"AES_256_GCM_SHA384"
 
  The cipher suites in this section are supported only in TLS1.2

"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
"TLS_RSA_WITH_AES_128_GCM_SHA256"
"TLS_RSA_WITH_AES_256_GCM_SHA384"
"TLS_RSA_WITH_AES_128_CBC_SHA256"
 
  The cipher suites below are not recommended for use because they have known vulnerabilities.

"TLS_RSA_WITH_RC4_128_SHA"
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
"TLS_RSA_WITH_AES_128_CBC_SHA256"
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"
"TLS_ECDHE_RSA_WITH_RC4_128_SHA"
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
 

Comments