On the PCE, SR OS supports TLS or non-TLS mode. That is, when a TLS profile is configured on the PCE, the PCE accepts PCC connections that are TLS-secure or unsecured. To configure the TLS profile on the PCE, use the configure router pcep pce tls-server-profile command.
In the PCES and PCE mode, SR OS accepts connections with a StartTLS message or an Open message from the PCC. Depending on the PCC that sends the StartTLS message, the PCE sends back a StartTLS message also.
In the PCE-only mode, SR OS accepts only Open messages from the PCC; StartTLS messages are not accepted.
In the PCES strict mode, the PCE accepts only TLS connections from the PCC. Non-TLS connections (which open PCEP connections with the Open message, not with the StartTLS message) are not accepted and the TCP connection is closed. SR OS does not support PCES strict mode.