.. _Web_TLS_Protocol_Configuration: Web TLS Protocol Configuration ------------------------------ .. index:: web;web ssl .. _19.1|VOSSUC-20130: .. _12.5(1)|VOSSUC-20130: .. _20.1.1|VOSS-661|EKB-4494: Commands are available to list Transport Layer Security (TLS) protocol versions and also to enable or disable TLS versions. .. note:: * The command should be run on all nodes in a cluster. * When enabling or disabling a TLS protocol version, the web server needs to be restarted. Running the command will show a message and carry out this task. The following protocols are available in VOSS Automate: * TLSv1.1 * TLSv1.2 * TLSv1.3 .. important:: * While TLSv1.1 is still available, you are strongly advised to move to the later versions for security reasons. * TLSv1.2 is enabled by default upon installation. Upon upgrade, your current protocol is retained. * TLSv1.2 can only be disabled by enabling TLSv1.3. * **web ssl list** Example: :: $ web ssl list TLSv1.1: Disabled TLSv1.3: Disabled TLSv1.2: Enabled * Enabling or disabling a protocol that is already in that state, will raise an error message. * **web ssl disable ** * Enabling or disabling a protocol that is already in that state, will raise an error message. Example: :: $ web ssl disable TLSv1.1 Disabling the TLSv1.1 protocol requires the web server to be restarted. Do you wish to continue? yes TLSv1.1: Disabled TLSv1.2: Enabled Restarting nginx for settings to take effect Application nginx processes stopped. Application services: firewall processes stopped. Application nginx processes started. * **web ssl enable ** .. note:: * When running **web ssl enable TLSv1.3**, it will disable TLSv1.1 and TLSv1.2. Users will not be able to alter web ciphers. * When running **web ssl enable TLSv1.1** or **web ssl enable TLSv1.2**, it will disable TLSv1.3. Users can change the web ciphers. * If a user enables TLSv1.1, it will also enable TLSv1.2. * Enabling or disabling a protocol that is already in that state, will raise an error message. Example: :: $ web ssl enable TLSv1.1 Enabling the TLSv1.1 protocol requires the web server to be restarted. Do you wish to continue? yes TLSv1.1: Enabled TLSv1.2: Enabled Restarting nginx for settings to take effect Application nginx processes stopped. Application services: firewall processes stopped. Application nginx processes started. The table below shows the result of running **web ssl enable** or **web ssl disable** given a specific state (from **web ssl list**). +-------------------------+---------+--------------------+ | State | Command | Result | +--------+-------+--------+---------+--------+-----+-----+ | 1.1 | 1.2 | 1.3 | on/off | 1.1 | 1.2 | 1.3 | +========+=======+========+=========+========+=====+=====+ | off | on | off | 1.1 on | on | on | off | +--------+-------+--------+---------+--------+-----+-----+ | off | off | on | 1.1 on | on | on | off | +--------+-------+--------+---------+--------+-----+-----+ | off | off | on | 1.2 on | off | on | off | +--------+-------+--------+---------+--------+-----+-----+ | off | on | off | 1.3 on | off | off | on | +--------+-------+--------+---------+--------+-----+-----+ | on | on | off | 1.3 on | off | off | on | +--------+-------+--------+---------+--------+-----+-----+ | on | on | off | 1.1 off | off | on | off | +--------+-------+--------+---------+--------+-----+-----+ .. |VOSS Automate| replace:: VOSS Automate .. |Unified CM| replace:: Unified CM