Setting the TLS protocol version

The switch by default supports version TLS 1.2 and above. You can explicitly configure TLS 1.0 and TLS 1.1 version support using CLI.

About this task

Disable the web server before changing the TLS version. By disabling the web server, other existing users with a connection to the web server are not affected from changing to a different version after you run the tls-min-ver command.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Disable the Web server:

    no web-server enable

  3. Set the TLS protocol version:

    web-server tls-min-ver [tlsv10 | tlsv11 | tlsv12]

  4. Enable the Web server:

    web-server enable

  5. Verify the protocol version:

    show web-server

Example

Switch> enable
Switch# configure terminal
Switch(config)# web-server tls-min-ver tlsv11

Verify the protocol version.

Switch> show web-server

Web Server Info :

        Status                    : on
        Secure-only               : disabled
        TLS-minimum-version       : tlsv11
        RWA Username              : admin
        RWA Password              : ********
        Def-display-rows          : 30
        Inactivity timeout        : 900 sec
        Html help tftp source-dir :
        HttpPort                  : 80
        HttpsPort                 : 443
        NumHits                   : 198
        NumAccessChecks           : 8
        NumAccessBlocks           : 0
        NumRxErrors               : 198
        NumTxErrors               : 0
        NumSetRequest             : 0
        Minimum password length   : 8
        Last Host Access Blocked  : 0.0.0.0
        In use certificate        : Self signed

Variable Definitions

Use the data in the following table to use the web-server command.

Variable

Value

def-display-rows <10-100>

Configures the number of rows each page displays, between 10 and 100.

enable

Enables the Web interface. To disable the web server, use the no form of this command:

no web-server [enable]

help-tftp <WORD/0-256>

Configures the TFTP or FTP directory for Help files, in one of the following formats: a.b.c.d:/| peer:/ [<dir>]. The path can use 0–256 characters. The following example paths illustrate the correct format:

  • 192.0.2.1:/help

  • 192.0.2.1:/

http-port <80-49151>

Configures the web server HTTP port. The default port is 80.

 https-port <443-49151>

Configure the web server HTTPS port. The default port is 443.

inactivity-timeout<30–65535>

Configures the web-server session inactivity timeout. The default is 900 seconds (15 minutes).

password {ro | rwa} WORD<1-20>

Configures the logon and password for the web interface.

password min-passwd-len<1–32>

Configures the minimum password length. By default, the minimum password length is 8 characters.

read-only-user

Enables read-only user for the web server.

Note:

read-only-user enable is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix.

secure-only

Enables secure-only access for the web server.

tls-min-ver<tlsv10|tlsv11|tlsv12>

Configures the minimum version of the TLS protocol supported by the web-server. You can select among the following:

  • tlsv10 – Configures the version to TLS 1.0.

  • tlsv11 – Configures the version to TLS 1.1.

  • tlsv12 – Configures the version to TLS 1.2

The default is tlsv12.