On the PCE, SR OS supports TLS or non-TLS mode. That is, when a TLS profile is configured on the PCE, the PCE accepts PCC connections that are TLS-secure or unsecured. To configure the TLS profile on the PCE, use the configure router pcep pce tls-server-profile command.
In the PCES and PCE mode, SR OS accepts connections with a StartTLS message or an Open message from the PCC. Depending on the PCC that sends the StartTLS message, the PCE sends back a StartTLS message also.
In the PCE-only mode, SR OS accepts only Open messages from the PCC; StartTLS messages are not accepted.
In the PCES strict mode, the PCE accepts only TLS connections from the PCC. Non-TLS connections (which open PCEP connections with Open message, not with StartTLS message) are not accepted and the TCP connection is closed. SR OS does not support PCES strict mode.