Incapsula supports the following features/settings for TLS/SSL:
* Ciphers can be disabled upon request.
- Perfect/Forward Secrecy (PFS/FS via ECDHE ciphers)
- Dynamic TLS Record Sizing
- HSTS (HTTP Strict Transport Security)
- Session identifiers
- Session tickets
- OCSP Stapling
TLS 1.1 (Disabled by default)
TLS 1.0 (Disabled by default)
As of May 27, 2018, Incapsula will set TLS 1.2 as the minimum supported version, by default, for connectivity between clients (visitors) and the Incapsula service.
PCI-DSS v3.2 compliance
PCI-DSS compliance requires disabling the use of TLS 1.0 as of July 1, 2018. To comply with this requirement, and due to the known vulnerabilities in TLS 1.1, Incapsula has defined TLS 1.2 as the default minimum supported version. This also applies to the Incapsula Management Console and the Incapsula API.
Connectivity between a website’s origin server and the Incapsula service is the responsibility of the Incapsula customer.
A client with an unsupported TLS version will not be able to establish a connection to Incapsula. The client (a browser, for example) may show the following SSL error message: ERR_SSL_VERSION_OR_CIPHER_MISMATCH, and will not be able to access the site.
Enterprise and Business accounts that need to keep supporting TLS v1.0 and TLS v1.1 can opt out and choose to enable support for all TLS versions, on a per site basis. Opting out means that clients will be able to establish connections to your site using TLS v1.0, v1.1, and v1.2. This is not recommended. To remain PCI compliant, do not enable this option.