Configure the TLS Protocol Version
The switch by default supports version TLS 1.2 and above. You can explicitly configure TLS 1.0 and TLS 1.1 version support using CLI.
Note
In enhanced secure mode, TLS 1.0 is available on 5520 Series and 5420 Series only.
About this task
Disable the web server before changing the TLS version. By disabling the web server, other existing users with a connection to the web server are not affected from changing to a different version after you run the tls-min-ver command.
Procedure
Example
Switch> enable Switch# configure terminal Switch(config)# web-server tls-min-ver tlsv12
Verify the protocol version.
Switch:1(config)#show web-server
Web Server Info :
Status : off
Secure-only : enabled
TLS-minimum-version : tlsv12
RO Username Status : disabled
RO Username : user
RO Password : ********
RWA Username : admin
RWA Password : ********
Def-display-rows : 30
Inactivity timeout : 900 sec
Html help tftp source-dir :
HttpPort : 80
HttpsPort : 443
NumHits : 0
NumAccessChecks : 0
NumAccessBlocks : 0
NumRxErrors : 0
NumTxErrors : 0
NumSetRequest : 0
Minimum password length : 8
Last Host Access Blocked : 0.0.0.0
In use certificate : Self signed
Certificate Truspoint CA Name :
Certificate with Subject Name : 823
Ciphers-Tls : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA
Variable Definitions
Use the data in the following table to use the web-server command.
|
Variable |
Value |
|---|---|
|
def-display-rows <10-100> |
Configures the number of rows each page displays, between 10 and 100. |
|
enable |
Enables the web interface. To disable the web server, use the no form of this command: no web-server [enable] |
|
help-tftp <WORD/0-256> |
Configures the TFTP or FTP directory for Help files, in one of the following formats: a.b.c.d:/| peer:/ [<dir>]. The path can use 0–256 characters. The following example paths illustrate the correct format:
|
|
http-port <80-49151> |
Configures the web server HTTP port. The default port is 80. |
|
https-port <443-49151> |
Configure the web server HTTPS port. The default port is 443. |
|
inactivity-timeout<30–65535> |
Configures the web-server session inactivity timeout. The default is 900 seconds (15 minutes). |
|
password {ro | rwa} WORD<1-20> |
Configures the logon and password for the web interface. |
|
password min-passwd-len<1–32> |
Configures the minimum password length. By default, the minimum password length is 8 characters. |
|
read-only-user |
Enables read-only user for the web server. Note:
read-only-user enable is available for demonstration purposes on some products. For more information, see Fabric Engine Feature Support Matrix. |
|
secure-only |
Enables secure-only access for the web server. |
|
tls-min-ver<tlsv10|tlsv11|tlsv12> |
Configures the minimum version of the TLS protocol supported by the web-server. You can select among the following:
The default is tlsv12. |