Connectrix MDS: Third part security software report that MDS switches are accepting the TLS 1.0 connection
Summary: When third party security software run on MDS switches, they can report that MDS switches are accepting the TLS1.0 connections.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
When third party security software run on MDS switches, they can report that MDS switches are accepting the TLS1.0 connections.
Conditions:
Conditions:
- Detected in MDS 9710 version 8.3.2, possibly applies to other versions.
- Applicable when customer is using NXAPI, HTTP-server, and/or SSH
Cause
This is false positive, We clarified from the platform end(same HW and FW) in debug mode that lower TLS versions are not enabled at kernel level, We can ignore these alerts from the 3rd part tools.
Test on MDS 9148S with 8.4(1a) FW showing no presence of TLS 1 ot 1.1Linux(debug)# openssl ciphers -v | awk '{print $2}' | sort | uniqSSLv3TLSv1.2
Resolution
Workaround:
- For NXAPI, manually configure the TLS versions used:
switch(config)# nxapi ssl protocols TLSv1.1 TLSv1.2 << (Run to enable TLSv1.1 TLSv1.2)
switch(config)# no nxapi ssl protocols TLSv1 << (Run to disable TLSv1)
- For HTTP/HTTPS server, disable server
Config
No feature http-server
Copy run start
These commands are non-disruptive do not have any impact on DCNM.
The http/https server is only used to download Device Manager.
Note: disabling http server disables the https server.
Additional Information
Using "nxapi ssl protocols TLSv1.1/TLSv1.2" we can enable the required version that means we disabled other versions.
Note: Starting with Cisco NX-OS Release 8.3(1), TLS1.0 is disabled by default. Running this command enables the TLS versions specified in the string, including the TLS1.0 that was disabled by default, if necessary. The no form of the command changes it to the default (by default, only TLS1.1 and TLS1.2 will be enabled).
Note: Starting with Cisco NX-OS Release 8.3(1), TLS1.0 is disabled by default. Running this command enables the TLS versions specified in the string, including the TLS1.0 that was disabled by default, if necessary. The no form of the command changes it to the default (by default, only TLS1.1 and TLS1.2 will be enabled).
Affected Products
Connectrix MDS-9710, Connectrix MDS-9710-V2Article Properties
Article Number: 000185920
Article Type: Solution
Last Modified: 29 Aug 2025
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.