Dell Unity: Nessus Full Safe Vulnerability Security Scan TLS Version 1.0 Protocol Detection (kan rettes af brugeren)
Summary: Denne artikel forklarer, hvordan du deaktiverer TLS 1.0 og 1.1 på port 443 og port 5085.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Tidligere fulgt artikel 000022527
Dell Unity: Sådan deaktiverer du TLS 1.0 og 1.1 på Unity-system (kan rettes af brugeren). Sårbarhedsscanneren (Nessus) registrerede imidlertid en TLS-sårbarhed på Port 5085.
Opdagede sårbarheder:https://www.tenable.com/plugins/nessus/104743-plugin
:
104743-pluginnavn: TLS Version 1.0-protokolregistreringsport
: 5085-pluginudgang
: TLSv1 er aktiveret, og serveren understøtter mindst én kryptering.
Synopsis: Fjerntjenesten krypterer trafik ved hjælp af en ældre version af TLS.
Løsning: Aktivér understøttelse af TLS 1.2 og 1.3, og deaktiver understøttelse af TLS 1.0.
Dell Unity: Sådan deaktiverer du TLS 1.0 og 1.1 på Unity-system (kan rettes af brugeren). Sårbarhedsscanneren (Nessus) registrerede imidlertid en TLS-sårbarhed på Port 5085.
Opdagede sårbarheder:https://www.tenable.com/plugins/nessus/104743-plugin
:
104743-pluginnavn: TLS Version 1.0-protokolregistreringsport
: 5085-pluginudgang
: TLSv1 er aktiveret, og serveren understøtter mindst én kryptering.
Synopsis: Fjerntjenesten krypterer trafik ved hjælp af en ældre version af TLS.
Løsning: Aktivér understøttelse af TLS 1.2 og 1.3, og deaktiver understøttelse af TLS 1.0.
Cause
Kommandoen "uemcli -u admin -password <Your Password> /sys/security set -tlsMode TLSv1.2" deaktiverer kun port 443.
Hvis deaktivering af port 5085 ønskes, skal du bruge indstillingen "-param" i svc_nas-kommandoen.
Hvis deaktivering af port 5085 ønskes, skal du bruge indstillingen "-param" i svc_nas-kommandoen.
Resolution
Deaktiver TLS 1.0 og 1.1 (Port 5085) ved hjælp af nedenstående trin:
1. Kontroller de aktuelle indstillinger.
svc_nas ALL -param -facility ssl -info protocol -v
2. Skift værdien til "4" = TLSv1.2 og derover".
svc_nas ALL -param -facility ssl -modify protocol -value 4
3. Bekræft, at current_value er ændret til "4" =TLSv1.2 og derover.
svc_nas ALL -param -facility ssl -info protocol -v
4. Genstart storageprocessorerne én ad gangen.
UI(Unisphere):
SYSTEM>>> Serviceserviceopgaver>>>>>>(storageprocessor X) Vælg Genstart, og klik på Udfør.
CLI:
svc_shutdown --reboot [spa | spb]
5. Bekræft, at current_value er ændret til "4"=TLSv1.2 og derover.
Example of changing from TLSv1.0 to TLSv1.2 (Port 5085): 1. Check the current settings. XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v name = protocol facility_name = ssl default_value = 2 <<< current_value = 2 <<< configured_value = <<< param_type = global user_action = reboot SP change_effective = reboot SP range = (0,4) description = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above 2. Change the value to "4" = TLSv1.2 and above". XXXXX spa:~/user# svc_nas ALL -param -facility ssl -modify protocol -value 4 SPA : done Warning 17716815750: SPA : You must reboot the SP for protocol changes to take effect. SPB : done Warning 17716815750: SPB : You must reboot the SP for protocol changes to take effect. 3. Confirm that the configured_value has been changed to "4"=TLSv1.2 and above. XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v SPA : name = protocol facility_name = ssl default_value = 2 current_value = 2 <<<< current_value is changed after restart configured_value = 4 <<<< param_type = global user_action = reboot SP change_effective = reboot SP range = (0,4) description = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above 4. Reboot Storage Processor (both SPs alternately). 5. Confirm that the current_value has been changed to "4"=TLSv1.2 and above. XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v SPA : name = protocol facility_name = ssl default_value = 2 current_value = 4 <<<< configured_value = 4 param_type = global user_action = reboot SP change_effective = reboot SP range = (0,4) description = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and aboveDeaktiver TLS 1.0 og 1.1 (port 443).
Uddrag fra artikel 000022527.
●Unity OE 5.1 og nyere systemer på brug af nedenstående kommando: Vis de aktuelle indstillinger med kommandoen:
uemcli -u admin -password <Your Password> /sys/security showDeaktiver TLS 1.0 og 1.1 ved at indstille -tlsMode TLSv1.2:
uemcli -u admin -password <Your Password> /sys/security set -tlsMode TLSv1.2
Eksempel på skift fra TLSv1.0 til TLSv1.2 (Port443):
XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security show
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection
1: FIPS 140 mode = disabled
TLS mode = TLSv1.0 and above
Restricted shell mode = enabled
XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security set -tlsMode TLSv1.2
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection
Please refer to the Security Configuration Guide for backward compatibility.
This change may impact running operations (e.g. replication) and the management services will be automatically restarted for the change to take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.
XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security show
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection
1: FIPS 140 mode = disabled
TLS mode = TLSv1.2 and above <<<
Restricted shell mode = enabled
Hvis systemet kører OE 4.3 til 5.0, skal du deaktivere TLS 1.0 (Port 443) ved hjælp af nedenstående kommando: Vis de aktuelle indstillinger med kommandoen:
uemcli -u admin -password <Your Password> /sys/security show -detailDeaktiver TLS 1.0 med kommandoen:
uemcli -u admin -password <Your Password> /sys/security set -tls1Enabled noAktivér TLS 1.2 med kommandoen:
uemcli -u admin -password <Your Password> /sys/security -tlsMode TLSv1.2
Eksempel på skift fra TLSv1.0 til TLSv1.2 (port 443):
XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security show -detail
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection
1: FIPS 140 mode = disabled
TLS 1.0 mode = enabled
TLS mode = TLSv1.0 and above
Restricted shell mode = enabled
XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security set -tlsMode TLSv1.2
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection
Please refer to the Security Configuration Guide for backward compatibility.
This change may impact running operations (e.g. replication) and the management services will be automatically restarted for the change to take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.
XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security show -detail
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection
1: FIPS 140 mode = disabled
TLS 1.0 mode = disabled <<<
TLS mode = TLSv1.2 and above <<<
Restricted shell mode = enabled Bemærk: Følgende "Fejlkode:
0x1000302" vises muligvis umiddelbart efter ændring af indstillingerne.
Hvis der opstår en fejl, skal du prøve at udføre kommandoen igen efter ca. 5 minutter.
Operation failed. Error code: 0x1000302 Remote server is not available. Please contact server support (Error Code:0x1000302)
Affected Products
Dell EMC Unity, Dell EMC Unity Family |Dell EMC Unity All FlashArticle Properties
Article Number: 000221891
Article Type: Solution
Last Modified: 20 Feb 2024
Version: 1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.