There are three managed profiles to choose from: COMPATIBLE (default), MODERN and RESTRICTED:
- The
RESTRICTED profile supports a reduced set of cryptographic algorithms, intended to meet stricter compliance requirements.
- The
MODERN profile supports a wider set of cryptographic algorithms, allowing most modern clients to negotiate TLS.
- The
COMPATIBLE profile supports the widest set of cryptographic algorithms, allowing connections from older client applications.
The MODERN and COMPATIBLE profiles allow the use of older cryptographic algorithms that are no longer considered secure
and are susceptible to attack.
What is the potential impact?
An attacker may be able to force the use of the insecure cryptographic algorithms, downgrading the security of the connection. This allows them to
compromise the confidentiality or integrity of the data being transmitted.
The MODERN profile allows the use of the insecure SHA-1 signing algorithm. An attacker is able to generate forged data that passes a
signature check, appearing to be legitimate data.
The COMPATIBLE profile additionally allows the user of key exchange algorithms that do not support forward secrecy as a feature. If the server’s private key is leaked, it can be used to
decrypt all network traffic sent to and from that server.
