---
title: Secure protocol configuration
description: In IDM 7.5.1 and later, the embedded Jetty web server supports Jetty 12.
component: pingidm
version: 7.5
page_id: pingidm:install-guide:secure-protocol-config
canonical_url: https://docs.pingidentity.com/pingidm/7.5/install-guide/secure-protocol-config.html
keywords: ["Installation", "Protocols", "Configuration"]
---

# Secure protocol configuration

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | In IDM 7.5.1 and later, the embedded Jetty web server supports Jetty 12.When serving SSL requests, Jetty 12 checks that the incoming host header matches the server certificate's subject and returns a `400 Bad Request` error on a mismatch. If you're upgrading to IDM 7.5.1 or later, you must ensure your IDM server certificate subject matches the host name used by your deployment.Learn more in [What's new](../release-notes/whats-new.html#jetty-12-support-751). |

The Jetty configuration for inbound connections to IDM supports a number of protocols and cipher suites.

Enabled *protocols* are explicitly listed in the `includeProtocols` list in the `conf/jetty.xml` file. Only `TLSv1.2` and `TLSv1.3` are enabled by default:

```xml
...
<Array  id= "includedProtocols" type="java.lang.String">
    <!-- Only support TLS v1.2 and v1.3 -->
    <Item>TLSv1.2</Item>
    <Item>TLSv1.3</Item>
</Array>
...
```

To disable a particular protocol, remove it from the `includedProtocols` list. To add support for a weaker protocol, add it to the list. For example:

```xml
...
<Array  id= "includedProtocols" type="java.lang.String">
    <Item>TLSv1.2</Item>
    <Item>TLSv1.3</Item>
    <Item>SSLv3.0</Item>
</Array>
...
```

|   |                                                                                                                                                                                             |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | It is highly recommended that you do not enable weaker protocols such as SSL, and TLS versions prior to 1.2. These protocols use outdated algorithms and are generally considered insecure. |

Enabled *cipher suites* for each protocol are listed in the `includedCipherSuites` list in `conf/jetty.xml`:

```xml
...
<Array id="includedCipherSuites" type="java.lang.String">
   <!-- TLS 1.3 cipher suites -->
   <Item>TLS_AES_128_GCM_SHA256</Item>
   <Item>TLS_AES_256_GCM_SHA384</Item>
   <Item>TLS_CHACHA20_POLY1305_SHA256</Item>

   <!-- TLS 1.2 cipher suites -->
   <Item>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</Item>
   <Item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</Item>
   <Item>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</Item>
   <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
   <Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
   <Item>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
   <Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
   <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
</Array>
...
```

To add support for additional cipher suites, add them as `<Item>`s in this list.