.. _Web_TLS_Protocol_Configuration:

Web TLS Protocol Configuration
------------------------------

.. index:: web;web ssl


.. _19.1|VOSSUC-20130:
.. _12.5(1)|VOSSUC-20130:
.. _20.1.1|VOSS-661|EKB-4494:

Commands are available to list Transport Layer Security (TLS) protocol versions
and also to enable or disable TLS versions.

.. note::
   
   * The command should be run on all nodes in a cluster.
   * When enabling or disabling a TLS protocol version, the web server needs to be restarted.
     Running the command will show a message and carry out this task.


The following protocols are available in VOSS Automate:

* TLSv1.2
* TLSv1.3

.. important::

   * TLSv1.2 is enabled by default upon installation. Upon upgrade,
     due to weak ciphers in TLSv1.2, it is highly recommended to enable
     TLSv1.3 as soon as possible on all application, unified and web proxy nodes.
   * TLSv1.2 can only be disabled by enabling TLSv1.3.
 

   



* **web ssl list**

  Example:

  ::
  
     $ web ssl list
     TLSv1.3: Disabled
     TLSv1.2: Enabled

  * Enabling or disabling a protocol that is already in that state, will raise an error message.


* **web ssl disable <TLS version>**

  * Enabling or disabling a protocol that is already in that state, will raise an error message.

  Example:

  ::
  
     $ web ssl disable TLSv1.2
     Disabling the TLSv1.2 protocol requires the web server to be restarted.
     Do you wish to continue? yes
     TLSv1.2: Disabled
     TLSv1.3: Enabled

     Restarting nginx for settings to take effect

     Application nginx processes stopped.


     Application services: firewall processes stopped.
     Application nginx processes started.

* **web ssl enable <TLS version>**

  .. note::

     * When running **web ssl enable TLSv1.3**, it will disable TLSv1.2. 
       Users will not be able to alter web ciphers.

     * When running **web ssl enable TLSv1.2**,
       it will disable TLSv1.3.
       Users can change the web ciphers.



  * Enabling or disabling a protocol that is already in that state, will raise an error message.

 


  Example:

  ::
  
     $ web ssl enable TLSv1.3
     Enabling the TLSv1.3 protocol requires the web server to be restarted.
     Do you wish to continue? yes
     TLSv1.3: Enabled
     TLSv1.2: Enabled


     Restarting nginx for settings to take effect

     Application nginx processes stopped.


     Application services: firewall processes stopped.
     Application nginx processes started.


The table below shows the result of running **web ssl enable**
or **web ssl disable** given a specific state (from **web ssl list**).

 +--------------------+----------+-----------+
 |   State            |  Command |   Result  |
 +---------+----------+----------+-----+-----+
 | 1.2     | 1.3      | on/off   | 1.2 | 1.3 |
 +=========+==========+==========+=====+=====+
 | on      | off      | 1.2 on   | on  | off |
 +---------+----------+----------+-----+-----+
 | off     | on       | 1.3 on   | off | on  |
 +---------+----------+----------+-----+-----+
 | on      | off      | 1.2 off  | off | on  |
 +---------+----------+----------+-----+-----+
 | off     | on       | 1.3 off  | on  | off |
 +---------+----------+----------+-----+-----+


.. |VOSS Automate| replace:: VOSS Automate
.. |Unified CM| replace:: Unified CM