Configuring the minimum version of the TLS protocol

Use the following procedure to configure the minimum version of the TLS protocol.

Earlier releases used a self-signed certificate generated using the OpenSSL API, and this self-signed certificate was installed in /inflash/.ssh. The self-signed certificate is now generated with the Mocana API.

Disable the web server before changing the TLS version. By disabling the web server, other existing users with a connection to the web server are not affected by changing to a different version.

The switch by default supports version TLS 1.2 and above. You can explicitly configure TLS 1.0 and TLS 1.1 version support.

Procedure

  1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
  2. Select General and then select Web tab.
  3. In the TlsMinimumVersion field, select the TLS version you want to configure as the minimum on the system.

Web Field Descriptions

Use the data in the following table to use the Web tab.

Name

Description

WebRWAUserName

Specifies the RWA username from 1–20 characters. The default is admin.

WebRWAUserPassword

Specifies the password from 1–32 characters. The default is 12345678.

WebROEnable

Enables the web server read-only (RO) user, which is disabled by default after a software upgrade.

WebEncryptionType

Specifies the ciphers for preset version of TLS for the web server.

WebCertSubjectName

Specifies the digital certificate subject Name used as identity certificate in the web server.

WebCertCAName

Specifies the digital certificate CA trustpoint name used for the certificate in the web server.

WebROUserName

Specifies the RO username. The default is user.

WebROUserPassword

Specifies the password from 1–32 characters. The default is password.

MinimumPasswordLength

Configures the minimum password length. By default, the minimum password length is 8 characters.

HttpPort

Specifies the HTTP port for web access. The default value is 80.

HttpsPort

Specifies the HTTPS port for web access. The default value is 443.

SecureOnly

Controls whether the secure-only option is enabled. The default is enabled.

InactivityTimeout

Specifies the idle time (in seconds) to wait before the EDM login session expires. The default value is 900 seconds (15 minutes).

TlsMinimumVersion

Configures the minimum version of the TLS protocol supported by the web-server. You can select from the following options:

  • tlsv10 – Configures the version to TLS 1.0.

  • tlsv11 – Configures the version to TLS 1.1.

  • tlsv12 – Configures the version to TLS 1.2

The default is tlsv12.

InUseCertType

Shows if the certificate is self-signed or user-installed.

HelpTftp/Ftp_SourceDir

Configures the TFTP or FTP directory for Help files, in one of the following formats: a.b.c.d:/| peer:/ [<dir>]. The path can use 0–256 characters. The following example paths illustrate the correct format:

  • 192.0.2.1:/Help

  • 192.0.2.1:/

DefaultDisplayRows

Configures the web server display row width between 10–100. The default is 30.

LastChange

Shows the last web-browser initiated configuration change.

NumHits

Shows the number of hits to the web server.

NumAccessChecks

Shows the number of access checks performed by the web server.

NumAccessBlocks

Shows the number of access attempts blocked by the web server.

LastHostAccessBlockedAddressType

Shows the address type, either IPv4 or IPv6, of the last host access blocked by the web server.

LastHostAccessBlockedAddress

Shows the IP address of the last host access blocked by the web server.

NumRxErrors

Shows the number of receive errors the web server encounters.

NumTxErrors

Shows the number of transmit errors the web server encounters.

NumSetRequest

Shows the number of set-requests sent to the web server.