Skip to main content

Tutorial: Select the SSL and TLS Levels on the Web Server


You can adjust the SSL and TLS levels Access Server uses for the hosted web services.


You can adjust the TLS settings for the Access Server web server from the Admin Web UI or command-line interface (CLI).

  • An installed Access Server.

  • Admin Web UI access or console access with root privileges.

  1. Sign in to the Admin Web UI.

  2. Click Configuration > TLS Settings.

  3. Scroll down to TLS options for Web Server.

  4. Select your desired protocol version (the default is TLS 1.2).

  5. Important

    When you change the TLS level, this requires restarting the server.

  1. Connect to the console with root privileges.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/
  3. List the current TLS level:

    ./sacli ConfigQuery | grep -i "cs.tls_version_min"
    • If nothing displays, the cs.tls_version_min configuration key uses the default value, TLS 1.2.


      The cluster API port on TCP 945 for inter-node communication in a cluster has a separate configuration key for the minimum TLS level version as of Access Server 2.9.1. By default, it inherits whatever is set for the main web services, but it can be specified separately with the ssl_api.tls_version_min configuration key.

  4. Set the web services minimum requirement of TLS 1.3 or higher:

    ./sacli --key "cs.tls_version_min" --value "1.2"1 ConfigPut
    ./sacli start


    Valid values for the cs.lts_version_min configuration key are:

    • 1.0: require TLs 1.0 or higher.

    • 1.1: require TLS 1.1 or higher.

    • 1.2: require TLS 1.2 or higher.

    • 1.3: require TLs 1.3 or higher.


    The OpenSSL library that comes with the operating system on which your Access Server is installed must support the selected value. On older operating systems, OpenSSL did not yet support TLS 1.3, so it will not function on those platforms. On newer operating systems, OpenSSL automatically upgrades TLS 1.0 and TLS 1.1 to TLS 1.2.

  5. Reset the minimum TLS level settings to default by deleting the configuration keys:

    ./sacli --key "cs.tls_version_min" ConfigDel
    ./sacli --key "ssl_api.tls_version_min" ConfigDel
    ./sacli start