Many customers have mandates that TLS 1.0 must be disabled in their environment.
This has been fixed in VNX Operating Environment version 8.1.9.231 and higher. This version introduces a new command, nas_tls. The command syntax is:
[root@cs0 nasadmin]# nas_tls -help
usage: nas_tls
-info
| -set { tls1Enabled | tls1Disabled } [-Force]
| -setCSLDAP { TLSv1 | TLSv11 | TLSv12 }
| -setSPLDAP { tls1Enabled | tls1Disabled }
-info: List TLS versions supported by Apache, ECOM, Data Movers, CS LDAP client on File side, and ManagementServer, SP LDAP client on Block side.
-set: Enable or disable TLS 1.0 for Apache, ECOM, Data Movers, CS LDAP client on File side, and ManagementServer, SP LDAP client on Block side.
NOTE: If TLS v1.0 is disabled, ECOM, Apache, and Data Movers will only support TLS 1.1 and TLS 1.2. If TLS v1.0 is enabled, ECOM, Apache, and Data Movers will support TLS 1.0, TLS 1.1 and TLS 1.2.
-setCSLDAP: Set TLS version for Control Station LDAP client. Only the selected TLS version will be used to communicate with LDAP servers. You can set TLS version for CS LDAP separately because some LDAP servers do not support anything other than TLS v1.0.
-setSPLDAP: Enable or disable TLS 1.0 for Storage Processor LDAP client. You can set TLS version for SP LDAP client separately because some LDAP servers do not support anything other than TLS v1.0.
Note that in order for changes to Apache to take full effect, Apache must be restarted manually. You can reboot the Control Station, or kill the Apache process (it will restart on its own).
The matching Block-side code is 05.33.009.5.231. You can find matching file and block codes listed in KB article 382638.
The release notes for this release are also available for download.
Upgrade to VNX OE 8.1.9.231 or higher to receive this update. This update will not be backported to previous versions. This update will not be backported to VNX1 series arrays.
Sample output from nas_tls -info:
[root@cs0 nasadmin]# nas_tls -info
TLS versions supported on Block side
ManagementServer : TLSv1.1 TLSv1.2
SP LDAP : TLSv1.1 TLSv1.2
TLS versions supported on File side
CS LDAP : TLSv1.2
Apache : TLSv1.0 TLSv1.1 TLSv1.2
ECOM : TLSv1.1 TLSv1.2
server_2 : TLSv1.1 TLSv1.2
server_3 : TLSv1.1 TLSv1.2