IBM Support

Disabling TLS1.0 and TLS1.1. Retaining TLS1.2 and up.

How To


Summary

Security vulnerability scanner software may detect that TSL 1.0 and TSL1.1 are enabled.
It will recommend that should be disabled.
The Default_strong template configuration consists of TLS 1.2 or higher and SHA above 256.
This template should be enabled.

Steps

1.  Execute the command to check the setting:
#seccryptocfg --show
SSH Crypto:
SSH Cipher               : aes128-ctr,aes192-ctr,aes256-ctr
SSH Kex                  : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
SSH MAC                  : hmac-sha1,hmac-sha2-256,hmac-sha2-512
TLS Ciphers:
HTTPS                    : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
RADIUS                   : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
LDAP                     : DEFAULT:!PSK
SYSLOG                   : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
TLS Protocol:
HTTPS                    : Any    <---
RADIUS                   : Any   <---
LDAP                     : Any     <---
SYSLOG                   : Any   <---
"Any" means the switch support TLS 1.0, 1.1 and 1.2. Once the template of Default_strong is applied, it will show the “TLSv1.2” instead of "Any".
2. Execute the command below on the switch to apply Default_strong template.
#seccryptocfg --apply Default_strong

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"STQPQQ","label":"IBM Storage Networking SAN128B"},"ARM Category":[{"code":"a8m0z000000bqKgAAI","label":"Brocade IBM B-Type"}],"ARM Case Number":"TS013073002","Platform":[{"code":"PF025","label":"Platform Independent"}]}]

Document Information

Modified date:
01 May 2024

UID

ibm17013173

Page Feedback