server.mrcp2.transport.tls.useStrongestCipherSuite

Specifies the encryption ciphers on the TLS port. Requires use of only the strongest TLS ciphers.

Value

Integer. Must be 0 (accept weak ciphers), 1 (accept strong ciphers only), or 2 (accept cipher suites based on the DH key exchange method with GCM mode only).

DEFAULT: 0 (accept weak ciphers)

How to set

If using the Management Station, set on the Speech Server service. If not using Management Station, set in an NSS configuration file (user-NSSxx.txt).

Usage

Seldom changed.

For MRCPv2 clients, Speech Server supports Transport Layer Security (TLS) for enhanced security. TLS encrypts messages between the MRCP client and Speech Server so that requests and responses remain invisible to outside observers. For backward compatibility, Speech Server accepts the strongest cipher proposed by the client. However, if the client proposes a weak cipher, the connection will have limited security.

This parameter requires the use of only strong ciphers. Set it to 1 for strong ciphers, or 2 to restrict the cipher suites to those based on the Diffie-Hellman (DH) key exchange method with GCM mode.

When you change the value, the new value only applies after you restart Speech Server.

Related parameter:

See Configuring network security.