SLX uses OpenSSL to provide transport layer security and the current version of OpenSSL supports TLS v 1.1 to TLS v 1.2. Since the SLX box can be considered as both a client as well as a server, you can apply different supported TLS versions for each of these types. The ssl-profile command within the management-security mode allows you to configure these values.
To force the SLX device to use a specific version of TLS or higher, you must configure the minimum supported TLS version for both the Server and Client operating modes.
Once configured, it enables SLX to control how it connects to a remote server (when it is a client) and how remote clients can connect to it (when it is a server).
When connecting to a remote server as a client, and a minimum supported TLS version is configured in the ssl-profile client mode, then if the remote servers supported version is lower than the one configured in this SLX device, then the device will break handshake after receiving the server hello.
When a remote client device is attempting to connect to this SLX device, and a minimum supported TLS version is configured in the ssl-profile server mode, then if the highest version supported by the client (as sent in the client hello message) is lower than the configured minimum supported version, the SLX device (acting as the server) will break the handshake without sending a server hello.
The following example shows the complete configuration for setting the minimum supported TLS version for the SLX device as a client.
SLX # config term
Entering configuration mode terminal
SLX (config)#
SLX (config)# management-security
SLX (mgmt-security)#
SLX(mgmt-security)# ssl-profile ?
Possible completions:
client management security ssl profile client for tls configuration
server management security ssl profile server for tls configuration
SLX (mgmt-security)# ssl-profile client
SLX (mgmt-sec-ssl-profile-client)#
SLX (mgmt-sec-ssl-profile-client)# tls ?
Possible completions:
min-version min version to be supported by client
SLX(mgmt-sec-ssl-profile-client)# tls min-version ?
Possible completions:
<1.1|1.2> specify TLS version
SLX(mgmt-sec-ssl-profile-client)# tls min-version 1.2
The following example shows the complete configuration for setting the minimum supported TLS version for the SLX device as a server.
SLX # config term
Entering configuration mode terminal
SLX (config)#
SLX (config)# management-security
SLX (mgmt-security)#
SLX(mgmt-security)# ssl-profile ?
Possible completions:
client management security ssl profile client for tls configuration
server management security ssl profile server for tls configuration
SLX (mgmt-security)# ssl-profile server
SLX (mgmt-sec-ssl-profile-server)#
SLX (mgmt-sec-ssl-profile-server)# tls ?
Possible completions:
min-version min version to be supported by server
SLX(mgmt-sec-ssl-profile-server)# tls min-version ?
Possible completions:
<1.1|1.2> specify TLS version
SLX(mgmt-sec-ssl-profile-server)# tls min-version 1.2