Disable TLS 1.0 and TLS 1.1
rodrigosh
Member ✭
Dear, I need your help... I need to disable TLS 1.0 and TLS 1.1 from the SSL Template, I do it and do a scan and the deprecated TLS still appears.
0
Comments
This is the correct approach. The configured client-ssl template needs to be bound to the virtual port of the VIP being scanned to realize the change. You may also need to configure and bind a cipher template to lockdown the negotiated ciphers. Can you provide more details on the config such as the template/VIP and scan results?
Configuré el siguiente cifrado, pero en el escaneo me pareció que el TLS obsoleto hasta 1.2 estaba habilitado. Ahora no puedo hacer la prueba de nuevo ya que el subdominio está en producción.
Would you be able to post a sanitized version of the VIP and template configurations? Also, what code version are you running? Also the scan results showing the unexpected ciphers would be helpful.
Does the code say the firmware that the equipment has?
The version is 5.2.1-p3, build 70 and from aFlex it is 2.0.0
5.2.1-P3 is the ACOS version, and that should provide all the capability that you need to lockdown the ciphers. Can you post the VIP and template configurations?
slb template cipher SSL-Cipher-TLS12
TLS1_ECDHE_RSA_AES_256_GCM_SHA384
!
!
slb template client-ssl SSL-Cliient-wilcard-cert.cl
auth-username common-name
chain-cert wilcard_cert
version 33 31
certificate wildcard_movistar_2023 key CSR-CERT-CL-CLI chain-cert wildcard_cert_2023
!
slb template client-ssl SSL-Client-Wildcard-cert-2022
version 33 31
certificate cert-2024 key cert-chain-key-2024 pass-phrase encrypted WLWJywa0hdNk+5XWTKSabGWx4hNsdfDt94QyE1meoAV6Bbp5+4GQ0UN4qpeMU+Yz chain-cert cert-2024
The configuration of the VIP which command can I use?
For the VIP, you can use "
show run slb virtual-server vip_server_name"Once we see the VIP configuration, we will see which client-ssl template is bound. One thing I noticed is that the two client-ssl templates you posted include "
version 33 31". This command sets the maximum negotiated version to TLS1.2, and the lowest negotiated version to TLS1.0. If you are using these templates and want to disable TLS1.0 and TLS1.2, you need to change this command to "version 33 33".this is what appears
!Section configuration: 308 bytes
!
slb virtual-server vs_APIX_prod 10.233.221.195
port 443 https
source-nat auto
service-group pool_vs_axway_prod
template http 10.233.221.195_http_template
template http-policy 10.233.221.195
template client-ssl partition shared SSL-Client-wilcard-cert_nuevo2023
the version 33 31 is allowing the device to downgrade to 31-TLSv1.0
try the following
version 33 33 >>> allows 33-TLSv1.2
Hello, how do I do this configuration? if you can help me
in the slb template SSL-Client-wilcard-cert_nuevo2023 that is in the shared partition, add or edit the version line as below
slb template client-ssl SSL-Client-wilcard-cert_nuevo2023
version 33 33
Ok, I'll do it with a new template, thank you very much.
Hello, I tried to execute the command and I get the following:
slb template client-ssl Test-TLS$ssl Test-TLS1.2-Template Version 33 33
Unrecognized command.Invalid input detected at '^' marker.
ACOS_SMT01-Standby-vMaster[1/1](config:1-client ssl)#$Template
ACOS_SMT01-Standby-vMaster[1/1](config:1-client ssl)#version 33 33
Now all that remains is to assign it to the VIP and how can I check that it is OK, just by doing a scan?
you can use
show slb ssl-counters
and run a scan to verify
I get this when I run the command
ACOS_SMT01-Standby-vMaster[1/1]#show slb ssl-counters
No SSL counters available
Sorry for so many questions, I'm new to A10.
it looks like you are on the standby device
you will need to ssh to the active device.
this will be the IP address of the second device not the VCS floating-ip
I'm on the Master team, the consultants put that name and it tends to confuse.
ACOS_SMT01-Standby-vMaster
ACOS_SMT01 = hostname
-Standby = vrrp status
you must be on the device that has Active as the vrrp status to run the 'show slb ssl-counters' command
Ok now I was able to run the command
Client ssl stats
Cumulative sessions = 403914632
ID Name Successes Failures
0x0300c02f TLS1_ECDHE_RSA_AES_128_GCM_SHA256 28896 994
0x0300c013 TLS1_ECDHE_RSA_AES_128_SHA 304 544
0x0300c027 TLS1_ECDHE_RSA_AES_128_SHA256 367 216
0x0300c028 TLS1_ECDHE_RSA_AES_256_SHA384 19670 239
0x0300c030 TLS1_ECDHE_RSA_AES_256_GCM_SHA384 177399182 783054
0x0300c014 TLS1_ECDHE_RSA_AES_256_SHA 8740 7064
0x0300009c TLS1_RSA_AES_128_GCM_SHA256 115 197
0x0300002f TLS1_RSA_AES_128_SHA 301 1089
0x0300003c TLS1_RSA_AES_128_SHA256 111 198
0x0300009d TLS1_RSA_AES_256_GCM_SHA384 924 1777
0x03000035 TLS1_RSA_AES_256_SHA 692 849
0x0300003d TLS1_RSA_AES_256_SHA256 114 224
0x0300cca8 TLS1_ECDHE_RSA_CHACHA20_POLY1305_SHA256 156 158
0x0300ccaa TLS1_DHE_RSA_CHACHA20_POLY1305_SHA256 305 731
Key Exchange Methods Successes Failures
RSA
2048 bits 2257 4334
ECDHE
prime256v1 177429235 791652
secp384r1 27924 459
DHE
SSL/TLS Version Successes Failures
SSL3.0 0 12107
TLS1.0 7095 16197
TLS1.1 2420 16456
TLS1.2 402861969 104084
TLS1.3 0 920827
Version downgrade 370868681
Session Cache Count
New 178298172
Hit 223088883
Miss 0
Expired 0
Current 145
Handshake Average time = 0 ms
Handshake Failures = 1069710
Certificate Auth = 0
SNI Auto-Map Successes = 0
SNI Auto-Map Failures = 0
SNI Auto-Map Failures Connection Closed = 0
SNI Auto-Map Failures Max Active Connections = 0
SNI Auto-Map Failures Missing Cert/Key = 0
SNI Bypass due to Missing Cert/Key = 0
SNI Bypass due to Certificate Expired = 0
SNI Bypass due to Matched Explicit Bypass List = 0
Renegotiation Counters
Total renegotiations = 973
Renegotiated SSL/TLS Versions Successes Failures
TLS1.2 973 0
Global Stats
--------------------------------------------------------------------------------
Server ssl stats
Cumulative sessions = 397517686
ID Name Successes Failures
0x0300c030 TLS1_ECDHE_RSA_AES_256_GCM_SHA384 397502946 14069
Key Exchange Methods Successes Failures
RSA
ECDHE
prime256v1 397502946 14053
DHE
SSL/TLS Version Successes Failures
TLS1.2 397502946 14824
Session Cache Count
New 397517686
Hit 0
Miss 0
Expired 0
Current 0
Handshake Average time = 0 ms
Handshake Failures = 14824
Certificate Auth = 0
Renegotiation Counters
Total renegotiations = 0
Renegotiated SSL/TLS Versions Successes Failures
(none used)
you can use 'clear slb ssl-counter' to reset the counters. Makes it easier to track
Ok, thank you very much for the help, I'm going to look for a domain to test.
I had a question... I only apply this to the SSL Client and I don't have to do anything in the SSL Server part?
Yes, you only need to change the client-ssl template. The client-ssl template is the handshake from internet to A10. The server-ssl template is the handshake between A10 and the Real Server. In a SSL Offload configuration, only a client-ssl template is used.
I understand, thank you very much for the help.