Web TLS Protocol Configuration#

Commands are available to list Transport Layer Security (TLS) protocol versions and also to enable or disable TLS versions.

Note

  • The command should be run on all nodes in a cluster.

  • When enabling or disabling a TLS protocol version, the web server needs to be restarted. Running the command will show a message and carry out this task.

The following protocols are available in VOSS Automate:

  • TLSv1.1

  • TLSv1.2

  • TLSv1.3

Important

  • While TLSv1.1 is still available, you are strongly advised to move to the later versions for security reasons.

  • TLSv1.2 is enabled by default upon installation. Upon upgrade, your current protocol is retained.

  • TLSv1.2 can only be disabled by enabling TLSv1.3.

  • web ssl list

    Example:

    $ web ssl list
    TLSv1.1: Disabled
    TLSv1.3: Disabled
    TLSv1.2: Enabled
    
    • Enabling or disabling a protocol that is already in that state, will raise an error message.

  • web ssl disable <TLS version>

    • Enabling or disabling a protocol that is already in that state, will raise an error message.

    Example:

    $ web ssl disable TLSv1.1
    Disabling the TLSv1.1 protocol requires the web server to be restarted.
    Do you wish to continue? yes
    TLSv1.1: Disabled
    TLSv1.2: Enabled
    
    Restarting nginx for settings to take effect
    
    Application nginx processes stopped.
    
    
    Application services: firewall processes stopped.
    Application nginx processes started.
    
  • web ssl enable <TLS version>

    Note

    • When running web ssl enable TLSv1.3, it will disable TLSv1.1 and TLSv1.2. Users will not be able to alter web ciphers.

    • When running web ssl enable TLSv1.1 or web ssl enable TLSv1.2, it will disable TLSv1.3. Users can change the web ciphers.

    • If a user enables TLSv1.1, it will also enable TLSv1.2.

    • Enabling or disabling a protocol that is already in that state, will raise an error message.

    Example:

    $ web ssl enable TLSv1.1
    Enabling the TLSv1.1 protocol requires the web server to be restarted.
    Do you wish to continue? yes
    TLSv1.1: Enabled
    TLSv1.2: Enabled
    
    
    Restarting nginx for settings to take effect
    
    Application nginx processes stopped.
    
    
    Application services: firewall processes stopped.
    Application nginx processes started.
    

The table below shows the result of running web ssl enable or web ssl disable given a specific state (from web ssl list).

State

Command

Result

1.1

1.2

1.3

on/off

1.1

1.2

1.3

off

on

off

1.1 on

on

on

off

off

off

on

1.1 on

on

on

off

off

off

on

1.2 on

off

on

off

off

on

off

1.3 on

off

off

on

on

on

off

1.3 on

off

off

on

on

on

off

1.1 off

off

on

off