Starting from 20.3.2 release, it's possible for the administrator to configure the minimum
TLS protocol version to be used by SLX manageability applications that use TLS either as a
client or server. The SLX provides separate TLS version control options for TLS clients and
servers. The applications that act as TLS clients in SLX are SYSLOG, RADIUS and LDAP. The TLS servers of SLX
management plane are HTTPs and secure GNMI. The control knobs are like below.
ssl-profile-server)# tls min-version ? Possible completions: <1.1|1.2> specify TLS version SLX(mgmt-sec-ssl-profile-server)# tls min-version 1.2 SLX(mgmt-sec-ssl-profile-server)# exit SLX(mgmt-security)# ssl-profile ? Possible completions: client management security ssl profile client for tls configuration server management security ssl profile server for tls configuration SLX(mgmt-security)# ssl-profile client SLX(mgmt-sec-ssl-profile-client)# tls ? Possible completions: min-version min version to be supported by client SLX(mgmt-sec-ssl-profile-client)# tls min-version ? Possible completions: <1.1|1.2> specify TLS version SLX(mgmt-sec-ssl-profile-client)# tls min-version 1.2 SLX(mgmt-sec-ssl-profile-client)# end SLX#
The basic intention of having the version control configuration for TLS is to encourage administrators to set the minimum version as TLS v1.2, which is the strongest secure TLS version that is supported in SLX.
Setting the minimum version to TLS v1.2 for the client profile forces TLS clients to send only TLS v1.2 version in its client hello packet as TLSv1.2 is the max supported TLS version in SLX. In case the server negotiates a lesser secure version, the SLX breaks the handshake upon receiving the server hello.
The below example is audit log that appears when the handshake is broken due to whichr the show logging audit command output indicates the insecure version that was negotiated by the server.
63 AUDIT, 2021/02/17-16:25:24 (GMT), [SEC-3111], INFO, SECURITY, NONE/root/NONE/None/CLI,, SLX, Event: TLS SESSION, TLS handshake, Info: server version 1.1 is lesser than client min-version 1.2 TLS handshake failed.
Setting the minimum version to TLS
v1.2 for the server profile forces TLS servers in SLX to break the handshake upon
receiving a client hello with
less secure TLS version.
The below example is audit log that appears when the handshake is broken, due to which the show logging audit command output indicates the insecure version that was sent by the client.
63 AUDIT, 2021/02/17-16:25:24 (GMT), [SEC-3111], INFO, SECURITY, NONE/root/NONE/None/CLI,, SLX, Event: TLS SESSION, TLS handshake, Info: client version 1.1 is lesser than server min-version 1.2 TLS handshake failed.
Note
Configuring the version control option or configuring TLS v1.1 would result in the same behaviour because by default the minimum supported TLS version in SLX is TLS v1.1.