topic Re: I think you would use the in Wireless

Enabling TLS for management access in WLC

vijay kumar — Mon, 05 Jul 2021 10:06:09 GMT

Hi all,

We want to disable to SSL v2 and SSL v3 for WLC web management . And we want to enable TLS version for web gui access. I have seen the below command to disable SSL v2

config network secureweb cipher-option sslv2 {enable | disable}

But i havent found for SSLv3 and TLS

Thanks,

Vijay

Enabling or disabling

Prakash Parvathala — Fri, 10 Jul 2015 18:49:21 GMT

Enabling or disabling TLS

Enabling Transport Layer Security (TLS) enables the storage system to use TLS on HTTPS, FTPS, and LDAP traffic.

Before you begin

TLS is disabled by default, and setting up SSL does not automatically enable TLS. Before enabling TLS, ensure that SSL has been set up and enabled.

About this task

Data ONTAP supports TLSv1, SSLv3, and SSLv2. TLSv1 is a protocol version higher than SSLv3, and SSLv3 is a protocol version higher than SSLv2. A negotiation process is built into the TLS and the SSL protocols to use the highest protocol version that is supported by both the client and the server for communication. For TLS to be used for communication, both the client requesting connection and the storage system must support TLS.

Step

To enable or disable TLS, enter the following command:

options tls.enable {on|off}

Use on to enable TLS.
- For TLS to take effect on HTTPS, ensure that the httpd.admin.ssl.enable option is also set to on.
- For TLS to take effect on FTPS, ensure that the ftpd.implicit.enable option or the ftpd.explicit.enable option is also set to on.
- For TLS to take effect on LDAP, ensure that the ldap.ssl.enable option is also set to on.
For more information about these options, see the na_options(1) man page.

For more information about FTPS and LDAP, see the Data ONTAP File Access and Protocols Management Guide for 7-Mode.
Use off (the default) to disable TLS.
When TLS is disabled, SSL is used for communication if SSL has previously been set up and enabled.
Enabling or disabling SSLv2 or SSLv3
If your storage system has the SSL protocol enabled, you can specify the SSL version(s) to use.
About this task
Enabling the SSL versions alone does not enable the SSL protocol for the storage system. To use SSL, ensure that the protocol is enabled on your storage system.
TLS offers better security than SSLv3, and SSLv3 offers better security than SSLv2. In addition to enabling the SSL protocol, you must also have at least one of SSLv2, SSLv3, or TLS enabled for the storage system to use SSL for communication.
Step
Enter the following command to enable or disable SSLv2 or SSLv3:
To enable or disable this SSL version... Enter the following command...
SSLv2
options ssl.v2.enable {on|off}
SSLv3
options ssl.v3.enable {on|off}
Setting the option to on (the default) enables the SSL version on HTTPS, FTPS, and LDAP connections, if the following options are also set to on:
- httpd.admin.ssl.enable (for HTTPS)
- ftpd.implicit.enable or ftpd.explicit.enable (for FTPS)
- ldap.ssl.enable (for LDAP)
Setting the option to off disables the SSL version on HTTPS, FTPS, and LDAP connections.

To enable or disable this SSL version...	Enter the following command...
SSLv2	`options ssl.v2.enable {on\|off}`
SSLv3	`options ssl.v3.enable {on\|off}`

Could you clarify something

superflybry — Wed, 06 Jul 2016 03:49:53 GMT

Could you clarify something for me please? Those commands don't appear int the 5508 controller cli?? Am I missing something here?

options tls.enable {on|off}

httpd.admin.ssl.enable (for HTTPS)

ftpd.implicit.enable or ftpd.explicit.enable (for FTPS)

ldap.ssl.enable (for LDAP)

Thanks

Bryan

Those commands are not for a

jekuehn — Mon, 29 Aug 2016 16:22:56 GMT

Those commands are not for a WLC. What you are looking for are the secureweb commands that you referenced. To enable SSLv3 use the following:

config network secureweb sslv3 enable

To ensure higher level TLS encryption ciphers, use the following:

config network secureweb ciper-option high

You can also use the command you referenced earlier to disable SSLv2, but keep in mind that if you try accessing the web gui or a client that needs to be re-directed to a captive portal and your browsers aren't configured for SSLv3, you will not be able to access the page. Hope this helps.

So, is it currently possible

michael.bungard1 — Thu, 05 Jan 2017 18:29:09 GMT

So, is it currently possible to disable both SSLv2 and SSLv3, while enabling TLS? Our security scanner is kicking out the following:

SSL Version 2 and Version 3 Detected

Synopsis

The remote service encrypts traffic using a protocol with known weaknesses.
Description

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.

NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC'S definition of 'strong cryptography'.
Solution

Consult the application's documentation to disable SSL 2.0 and 3.0. Use TLS 1.1 (with approved cipher suites) or higher instead.

I think you would use the

caradford86 — Mon, 30 Jan 2017 17:21:23 GMT

I think you would use the following commands:

config network secureweb sslv3 disable [disables SSLv3]

config network secureweb cipher-option sslv2 disable [disables SSLv2]

config network secureweb cipher-option high [enables TLSv1.2]

Then reload the WLC for the changes to take effect.

Beat me to it. :) Those

jekuehn — Mon, 30 Jan 2017 17:33:49 GMT

Beat me to it. 🙂 Those would be the correct commands. Thanks Chris!

You may also want to also run the below command because I have seen some scanners ding WLCs for having RC4 ciphers in use as well, but ultimately would depend on your security policy.

config network secureweb cipher-options rc4-preference disable

Hi,

cmiyas — Mon, 06 Mar 2017 21:37:14 GMT

Hi,

I recently used this commands in the following order :

config network secureweb cipher-option sslv2 disable

config network secureweb cipher-options rc4-preference disable

config network secureweb cipher-option high

And the result was good, but not enough : The test revealed support for TLSv1.2, TLSv1.1, TLSv1.0 and SSLv3 (No RC4 nor SSLv2 but SSLv3 and DES).

So I looked for options and found the command to disable SSLv3

config network secureweb sslv3 disable

Checking again we got support only for TLSv1.0 (lost 1.1 and 1.2)

We thought that it can be a matter of order so I executed again :

config network secureweb cipher-option high

No changes. No support enabled for TLSv1.2 nor TLSv1.1, only TLSv1.0.

Re-enabling SSLv3 restored support for this protocol and TLSv1.1 and TLSv1.2.

(We are currently using ver. 8.0.140)

Re: I think you would use the

aous.salloum — Wed, 07 Feb 2018 10:11:15 GMT

Hi Guys,

is there a show command to know if SSLV3 is enabled or disabled on the WLC ?

Cheers,

Re: Enabling TLS for management access in WLC

alexandro.angel@softtek.com — Mon, 17 Dec 2018 17:42:42 GMT

Hello Team - Was anyone able to get rid of tlsv1.0?

Kind Regards,

topic Re: I think you would use the in Wireless

Enabling TLS for management access in WLC

Enabling or disabling

Enabling or disabling TLS

Before you begin

About this task

Step

Enabling or disabling SSLv2 or SSLv3

About this task

Step

Could you clarify something

Those commands are not for a

So, is it currently possible

Synopsis

Description

Solution

I think you would use the

Beat me to it. :) Those

Hi,

Re: I think you would use the

Re: Enabling TLS for management access in WLC