Disable TLS 1.0 and TLS 1.1

Dear, I need your help... I need to disable TLS 1.0 and TLS 1.1 from the SSL Template, I do it and do a scan and the deprecated TLS still appears.

Comments

  • mdunnmdunn Member ✭✭

    This is the correct approach. The configured client-ssl template needs to be bound to the virtual port of the VIP being scanned to realize the change. You may also need to configure and bind a cipher template to lockdown the negotiated ciphers. Can you provide more details on the config such as the template/VIP and scan results?

  • rodrigoshrodrigosh Member

    Configuré el siguiente cifrado, pero en el escaneo me pareció que el TLS obsoleto hasta 1.2 estaba habilitado. Ahora no puedo hacer la prueba de nuevo ya que el subdominio está en producción.

  • mdunnmdunn Member ✭✭

    Would you be able to post a sanitized version of the VIP and template configurations? Also, what code version are you running? Also the scan results showing the unexpected ciphers would be helpful.

  • rodrigoshrodrigosh Member
    edited July 2023

    Does the code say the firmware that the equipment has?

    The version is 5.2.1-p3, build 70 and from aFlex it is 2.0.0

  • mdunnmdunn Member ✭✭

    5.2.1-P3 is the ACOS version, and that should provide all the capability that you need to lockdown the ciphers. Can you post the VIP and template configurations?

  • rodrigoshrodrigosh Member

    slb template cipher SSL-Cipher-TLS12

     TLS1_ECDHE_RSA_AES_256_GCM_SHA384

    !

    !

    slb template client-ssl SSL-Cliient-wilcard-cert.cl

     auth-username common-name

     chain-cert wilcard_cert

     version 33 31

     certificate wildcard_movistar_2023 key CSR-CERT-CL-CLI chain-cert wildcard_cert_2023

    !

    slb template client-ssl SSL-Client-Wildcard-cert-2022

     version 33 31

     certificate cert-2024 key cert-chain-key-2024 pass-phrase encrypted WLWJywa0hdNk+5XWTKSabGWx4hNsdfDt94QyE1meoAV6Bbp5+4GQ0UN4qpeMU+Yz chain-cert cert-2024


    The configuration of the VIP which command can I use?

  • mdunnmdunn Member ✭✭

    For the VIP, you can use "show run slb virtual-server vip_server_name"


    Once we see the VIP configuration, we will see which client-ssl template is bound. One thing I noticed is that the two client-ssl templates you posted include "version 33 31". This command sets the maximum negotiated version to TLS1.2, and the lowest negotiated version to TLS1.0. If you are using these templates and want to disable TLS1.0 and TLS1.2, you need to change this command to "version 33 33".

  • rodrigoshrodrigosh Member

    this is what appears


    !Section configuration: 308 bytes

    !

    slb virtual-server vs_APIX_prod 10.233.221.195

     port 443 https

      source-nat auto

      service-group pool_vs_axway_prod

      template http 10.233.221.195_http_template

      template http-policy 10.233.221.195

      template client-ssl partition shared SSL-Client-wilcard-cert_nuevo2023

  • dquinndquinn Member

    the version 33 31 is allowing the device to downgrade to 31-TLSv1.0

    try the following

    version 33 33 >>> allows 33-TLSv1.2

  • rodrigoshrodrigosh Member

    Hello, how do I do this configuration? if you can help me

  • dquinndquinn Member

    in the slb template SSL-Client-wilcard-cert_nuevo2023 that is in the shared partition, add or edit the version line as below


    slb template client-ssl SSL-Client-wilcard-cert_nuevo2023

    version 33 33 

  • rodrigoshrodrigosh Member

    Ok, I'll do it with a new template, thank you very much.

  • rodrigoshrodrigosh Member
    edited July 2023

    Hello, I tried to execute the command and I get the following:


    slb template client-ssl Test-TLS$ssl Test-TLS1.2-Template Version 33 33


    Unrecognized command.Invalid input detected at '^' marker.

  • rodrigoshrodrigosh Member

    ACOS_SMT01-Standby-vMaster[1/1](config:1-client ssl)#$Template

    ACOS_SMT01-Standby-vMaster[1/1](config:1-client ssl)#version 33 33


    Now all that remains is to assign it to the VIP and how can I check that it is OK, just by doing a scan?

  • dquinndquinn Member

    you can use

    show slb ssl-counters

    and run a scan to verify

  • rodrigoshrodrigosh Member

    I get this when I run the command


    ACOS_SMT01-Standby-vMaster[1/1]#show slb ssl-counters

    No SSL counters available


    Sorry for so many questions, I'm new to A10.

  • dquinndquinn Member

    it looks like you are on the standby device


    you will need to ssh to the active device.

    this will be the IP address of the second device not the VCS floating-ip

  • rodrigoshrodrigosh Member


    I'm on the Master team, the consultants put that name and it tends to confuse.

  • dquinndquinn Member

    ACOS_SMT01-Standby-vMaster

    ACOS_SMT01 = hostname

    -Standby = vrrp status

    you must be on the device that has Active as the vrrp status to run the 'show slb ssl-counters' command

  • rodrigoshrodrigosh Member
    edited July 2023

    Ok now I was able to run the command


    Client ssl stats

    Cumulative sessions = 403914632


    ID     Name                 Successes   Failures

    0x0300c02f TLS1_ECDHE_RSA_AES_128_GCM_SHA256  28896     994

    0x0300c013 TLS1_ECDHE_RSA_AES_128_SHA      304      544

    0x0300c027 TLS1_ECDHE_RSA_AES_128_SHA256    367      216

    0x0300c028 TLS1_ECDHE_RSA_AES_256_SHA384    19670     239

    0x0300c030 TLS1_ECDHE_RSA_AES_256_GCM_SHA384  177399182   783054

    0x0300c014 TLS1_ECDHE_RSA_AES_256_SHA      8740     7064

    0x0300009c TLS1_RSA_AES_128_GCM_SHA256     115      197

    0x0300002f TLS1_RSA_AES_128_SHA         301      1089

    0x0300003c TLS1_RSA_AES_128_SHA256       111      198

    0x0300009d TLS1_RSA_AES_256_GCM_SHA384     924      1777

    0x03000035 TLS1_RSA_AES_256_SHA         692      849

    0x0300003d TLS1_RSA_AES_256_SHA256       114      224

    0x0300cca8 TLS1_ECDHE_RSA_CHACHA20_POLY1305_SHA256 156      158

    0x0300ccaa TLS1_DHE_RSA_CHACHA20_POLY1305_SHA256 305      731


    Key Exchange Methods              Successes   Failures

     RSA

      2048 bits                  2257     4334

     ECDHE

      prime256v1                 177429235   791652

      secp384r1                  27924     459

     DHE


    SSL/TLS Version                 Successes   Failures

    SSL3.0                     0       12107


    TLS1.0                     7095     16197


    TLS1.1                     2420     16456


    TLS1.2                     402861969   104084


    TLS1.3                     0       920827


    Version downgrade                370868681


    Session Cache                  Count

    New                       178298172

    Hit                       223088883

    Miss                      0

    Expired                     0

    Current                     145


    Handshake Average time = 0 ms

    Handshake Failures = 1069710

    Certificate Auth = 0

    SNI Auto-Map Successes = 0

    SNI Auto-Map Failures = 0

    SNI Auto-Map Failures Connection Closed = 0

    SNI Auto-Map Failures Max Active Connections = 0

    SNI Auto-Map Failures Missing Cert/Key = 0

    SNI Bypass due to Missing Cert/Key = 0

    SNI Bypass due to Certificate Expired = 0

    SNI Bypass due to Matched Explicit Bypass List = 0


    Renegotiation Counters

    Total renegotiations = 973


    Renegotiated SSL/TLS Versions          Successes   Failures

    TLS1.2                     973      0


    Global Stats

    --------------------------------------------------------------------------------

    Server ssl stats

    Cumulative sessions = 397517686


    ID     Name                 Successes   Failures

    0x0300c030 TLS1_ECDHE_RSA_AES_256_GCM_SHA384  397502946   14069


    Key Exchange Methods              Successes   Failures

     RSA

     ECDHE

      prime256v1                 397502946   14053

     DHE


    SSL/TLS Version                 Successes   Failures

    TLS1.2                     397502946   14824



    Session Cache                  Count

    New                       397517686

    Hit                       0

    Miss                      0

    Expired                     0

    Current                     0


    Handshake Average time = 0 ms

    Handshake Failures = 14824

    Certificate Auth = 0


    Renegotiation Counters

    Total renegotiations = 0


    Renegotiated SSL/TLS Versions          Successes   Failures

    (none used)

  • dquinndquinn Member

    you can use 'clear slb ssl-counter' to reset the counters. Makes it easier to track

  • rodrigoshrodrigosh Member

    Ok, thank you very much for the help, I'm going to look for a domain to test.

  • rodrigoshrodrigosh Member

    I had a question... I only apply this to the SSL Client and I don't have to do anything in the SSL Server part?

  • mdunnmdunn Member ✭✭

    Yes, you only need to change the client-ssl template. The client-ssl template is the handshake from internet to A10. The server-ssl template is the handshake between A10 and the Real Server. In a SSL Offload configuration, only a client-ssl template is used.

  • rodrigoshrodrigosh Member

    I understand, thank you very much for the help.

Sign In or Register to comment.