04-29-2015 03:20 AM - edited 07-05-2021 03:06 AM
Hi all,
We want to disable to SSL v2 and SSL v3 for WLC web management . And we want to enable TLS version for web gui access. I have seen the below command to disable SSL v2
config network secureweb cipher-option sslv2 {enable | disable}
But i havent found for SSLv3 and TLS
Thanks,
Vijay
Solved! Go to Solution.
01-30-2017 09:21 AM
I think you would use the following commands:
config network secureweb sslv3 disable [disables SSLv3]
config network secureweb cipher-option sslv2 disable [disables SSLv2]
config network secureweb cipher-option high [enables TLSv1.2]
Then reload the WLC for the changes to take effect.
07-10-2015 11:49 AM
Enabling Transport Layer Security (TLS) enables the storage system to use TLS on HTTPS, FTPS, and LDAP traffic.
TLS is disabled by default, and setting up SSL does not automatically enable TLS. Before enabling TLS, ensure that SSL has been set up and enabled.
Data ONTAP supports TLSv1, SSLv3, and SSLv2. TLSv1 is a protocol version higher than SSLv3, and SSLv3 is a protocol version higher than SSLv2. A negotiation process is built into the TLS and the SSL protocols to use the highest protocol version that is supported by both the client and the server for communication. For TLS to be used for communication, both the client requesting connection and the storage system must support TLS.
To enable or disable TLS, enter the following command:
For more information about these options, see the na_options(1) man page.
For more information about FTPS and LDAP, see the Data ONTAP File Access and Protocols Management Guide for 7-Mode.
When TLS is disabled, SSL is used for communication if SSL has previously been set up and enabled.
If your storage system has the SSL protocol enabled, you can specify the SSL version(s) to use.
Enabling the SSL versions alone does not enable the SSL protocol for the storage system. To use SSL, ensure that the protocol is enabled on your storage system.
TLS offers better security than SSLv3, and SSLv3 offers better security than SSLv2. In addition to enabling the SSL protocol, you must also have at least one of SSLv2, SSLv3, or TLS enabled for the storage system to use SSL for communication.
To enable or disable this SSL version... | Enter the following command... |
---|---|
SSLv2 | options ssl.v2.enable {on|off} |
SSLv3 | options ssl.v3.enable {on|off} |
Setting the option to off disables the SSL version on HTTPS, FTPS, and LDAP connections.
07-05-2016 08:49 PM
Could you clarify something for me please? Those commands don't appear int the 5508 controller cli?? Am I missing something here?
options tls.enable {on|off}
httpd.admin.ssl.enable (for HTTPS)
ftpd.implicit.enable or ftpd.explicit.enable (for FTPS)
ldap.ssl.enable (for LDAP)
Thanks
Bryan
08-29-2016 09:22 AM
Those commands are not for a WLC. What you are looking for are the secureweb commands that you referenced. To enable SSLv3 use the following:
config network secureweb sslv3 enable
To ensure higher level TLS encryption ciphers, use the following:
config network secureweb ciper-option high
You can also use the command you referenced earlier to disable SSLv2, but keep in mind that if you try accessing the web gui or a client that needs to be re-directed to a captive portal and your browsers aren't configured for SSLv3, you will not be able to access the page. Hope this helps.
01-05-2017 10:29 AM
So, is it currently possible to disable both SSLv2 and SSLv3, while enabling TLS? Our security scanner is kicking out the following:
SSL Version 2 and Version 3 Detected
The remote service encrypts traffic using a protocol with known weaknesses.
The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.
NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC'S definition of 'strong cryptography'.
Consult the application's documentation to disable SSL 2.0 and 3.0. Use TLS 1.1 (with approved cipher suites) or higher instead.
01-30-2017 09:21 AM
I think you would use the following commands:
config network secureweb sslv3 disable [disables SSLv3]
config network secureweb cipher-option sslv2 disable [disables SSLv2]
config network secureweb cipher-option high [enables TLSv1.2]
Then reload the WLC for the changes to take effect.
01-30-2017 09:33 AM
Beat me to it. :) Those would be the correct commands. Thanks Chris!
You may also want to also run the below command because I have seen some scanners ding WLCs for having RC4 ciphers in use as well, but ultimately would depend on your security policy.
config network secureweb cipher-options rc4-preference disable
03-06-2017 01:37 PM
Hi,
I recently used this commands in the following order :
config network secureweb cipher-option sslv2 disable
config network secureweb cipher-options rc4-preference disable
config network secureweb cipher-option high
And the result was good, but not enough : The test revealed support for TLSv1.2, TLSv1.1, TLSv1.0 and SSLv3 (No RC4 nor SSLv2 but SSLv3 and DES).
So I looked for options and found the command to disable SSLv3
config network secureweb sslv3 disable
Checking again we got support only for TLSv1.0 (lost 1.1 and 1.2)
We thought that it can be a matter of order so I executed again :
config network secureweb cipher-option high
No changes. No support enabled for TLSv1.2 nor TLSv1.1, only TLSv1.0.
Re-enabling SSLv3 restored support for this protocol and TLSv1.1 and TLSv1.2.
(We are currently using ver. 8.0.140)
02-07-2018 02:11 AM
Hi Guys,
is there a show command to know if SSLV3 is enabled or disabled on the WLC ?
Cheers,
12-17-2018 09:42 AM
Hello Team - Was anyone able to get rid of tlsv1.0?
Kind Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide