Disable TLS 1.1 and older

This topic details the procedure to disable TLS 1.1 and older versions.

  1. SSH to the system and acquire a root shell: 
    SLX# start shell
Entering Linux shell for the user: admin
[admin@SLX]# su -
Password:
[root@SLX]#
  2. Edit the Apache webserver config located at '/fabos/webtools/bin/web.conf.0' and replace the line that contains the 'SSLProtocol' variable with the following:
    SSLProtocol -all +TLSv1.2
  3. Grep the process table to look for httpd processes and kill the lowest numbered one (first in the list). For example:
    # ps axuww |grep httpd
nobody    5046  0.0  0.0  88956  4220 ?        S    20:32   0:00
        /usr/sbin/httpd.0 -DSSL -f /fabos/webtools/bin/httpd.conf.0
root     24164  0.0  0.0  88688  6360 ?        Ss   01:59   0:14
        /usr/sbin/httpd.0 -DSSL -f /fabos/webtools/bin/httpd.conf.0
nobody   29385  0.0  0.0  88956  4220 ?        S    19:22   0:00
        /usr/sbin/httpd.0 -DSSL -f /fabos/webtools/bin/httpd.conf.0
# kill 5046
  4. Restart Apache by manually executing the following command:
    # /usr/sbin/httpd.0 -DSSL -f /fabos/webtools/bin/httpd.conf.0
  5. At this point, SLX-OS will be running Apache with TLS < 1.2 disabled.
    Note

    Note

    The httpd.conf.0 file includes the web.conf.0 file automatically and there is no persistent change across reboots. However, this will be fixed in future SLX-OS release.
9037787-00 Rev AA