Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
Sign In Create an Account Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

VNX: TLSv1.1 and TLSv1.2 support for VNX2

Summary: Information related to current and future details regarding TLSv1.1 and TLSv1.2

This article applies to   This article does not apply to 
Check out resources for

Symptoms

Many customers have mandates that TLS 1.0 must be disabled in their environment.

Cause

TLSv1.0 has been identified as a vulnerable protocol and is scheduled to be forcibly disabled by PCI compliance in June 2018.

Resolution

This has been fixed in VNX Operating Environment version 8.1.9.231 and higher.  This version introduces a new command, nas_tls.  The command syntax is:

[root@cs0 nasadmin]# nas_tls -help
usage: nas_tls
      -info
    | -set { tls1Enabled | tls1Disabled } [-Force]
    | -setCSLDAP { TLSv1 | TLSv11 | TLSv12 }
    | -setSPLDAP { tls1Enabled | tls1Disabled }

-info:        List TLS versions supported by Apache, ECOM, Data Movers, CS LDAP client on File side, and ManagementServer, SP LDAP client on Block side.
-set:         Enable or disable TLS 1.0 for Apache, ECOM, Data Movers, CS LDAP client on File side, and ManagementServer, SP LDAP client on Block side.

NOTE: If TLS v1.0 is disabled, ECOM, Apache, and Data Movers will only support TLS 1.1 and TLS 1.2. If TLS v1.0 is enabled, ECOM, Apache, and Data Movers will support TLS 1.0, TLS 1.1 and TLS 1.2.

-setCSLDAP:   Set TLS version for Control Station LDAP client. Only the selected TLS version will be used to communicate with LDAP servers.  You can set TLS version for CS LDAP separately because some LDAP servers do not support anything other than TLS v1.0.

-setSPLDAP:   Enable or disable TLS 1.0 for Storage Processor LDAP client.  You can set TLS version for SP LDAP client separately because some LDAP servers do not support anything other than TLS v1.0.
 

Note that in order for changes to Apache to take full effect, Apache must be restarted manually.  You can reboot the Control Station, or kill the Apache process (it will restart on its own).

The matching Block-side code is 05.33.009.5.231.  You can find matching file and block codes listed in KB article 382638.

The release notes for this release are also available for download.

Upgrade to VNX OE 8.1.9.231 or higher to receive this update.  This update will not be backported to previous versions.  This update will not be backported to VNX1 series arrays.

Additional Information

Sample output from nas_tls -info:
 

[root@cs0 nasadmin]# nas_tls -info
TLS versions supported on Block side
ManagementServer         : TLSv1.1    TLSv1.2
SP LDAP                  : TLSv1.1    TLSv1.2

TLS versions supported on File side
CS LDAP                  : TLSv1.2
Apache                   : TLSv1.0    TLSv1.1    TLSv1.2
ECOM                     : TLSv1.1    TLSv1.2
server_2                 : TLSv1.1    TLSv1.2
server_3                 : TLSv1.1    TLSv1.2
 

Affected Products

VNX2 Series

Products

VNX2 Series