Dell Unity: Detección del protocolo TLS versión 1.0 del análisis de seguridad de vulnerabilidades completamente seguro de Nessus (corregible por el usuario)

Artículo seguido anteriormente 000022527 
Dell Unity: Cómo deshabilitar TLS 1.0 y 1.1 en el arreglo Unity (corregible por el usuario).  Sin embargo, el escáner de vulnerabilidades (Nessus) detectó una vulnerabilidad de TLS en el puerto 5085.
Vulnerabilidades detectadas:https://www.tenable.com/plugins/nessus/104743
Plugin:

104743 Nombre del plug-in: Puerto de detección
del protocolo TLS versión 1.0: Salida del plug-in 5085
: TLSv1 está habilitado y el servidor soporta al menos un cifrado.
Sinopsis: El servicio remoto cifra el tráfico mediante una versión anterior de TLS.
Solución: Habilite la compatibilidad con TLS 1.2 y 1.3, y deshabilite la compatibilidad con TLS 1.0.

El comando "uemcli -u admin -password <Your Password> /sys/security set -tlsMode TLSv1.2" deshabilita solo el puerto 443.
Si desea deshabilitar el puerto 5085, debe utilizar la opción "-param" en el comando svc_nas.

Deshabilite TLS 1.0 y 1.1 (puerto 5085) mediante los siguientes pasos:
1. Comprobar los ajustes actuales.

svc_nas ALL -param -facility ssl -info protocol -v

2. Cambie el valor a "4" = TLSv1.2 y superior".

svc_nas ALL -param -facility ssl -modify protocol -value 4

3. Confirme que la current_value se haya cambiado a "4" =TLSv1.2 y superior.

svc_nas ALL -param -facility ssl -info protocol -v

4. Reinicie los procesadores de almacenamiento uno a la vez.
UI (Unisphere):
SISTEMA>>>Tareas>>>de servicio de servicio >>> (procesador de almacenamiento X) Seleccione Reiniciar y haga clic en Ejecutar.

CLI:

svc_shutdown --reboot [spa | spb] 

5. Confirme que el current_value se haya cambiado a "4"=TLSv1.2 y superior.

Example of changing from TLSv1.0 to TLSv1.2 (Port 5085):

1. Check the current settings.
XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v

name                    = protocol
facility_name           = ssl
default_value           = 2   <<<
current_value           = 2   <<<
configured_value        =     <<<
param_type              = global
user_action             = reboot SP
change_effective        = reboot SP
range                   = (0,4)
description             = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above

2. Change the value to "4" = TLSv1.2 and above".
XXXXX spa:~/user# svc_nas ALL -param -facility ssl -modify protocol -value 4

SPA : done

Warning 17716815750: SPA : You must reboot the SP for protocol changes to take effect.
SPB : done
 
Warning 17716815750: SPB : You must reboot the SP for protocol changes to take effect.

3. Confirm that the configured_value has been changed to "4"=TLSv1.2 and above.
XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v

SPA :
name                    = protocol
facility_name           = ssl
default_value           = 2
current_value           = 2　　<<<<　current_value is changed after restart
configured_value        = 4　　<<<<
param_type              = global
user_action             = reboot SP
change_effective        = reboot SP
range                   = (0,4)
description             = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above

4. Reboot Storage Processor (both SPs alternately).

5. Confirm that the current_value has been changed to "4"=TLSv1.2 and above.

XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v

SPA :
name                    = protocol
facility_name           = ssl
default_value           = 2
current_value           = 4　　<<<< 
configured_value        = 4
param_type              = global
user_action             = reboot SP
change_effective        = reboot SP
range                   = (0,4)
description             = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above

Deshabilite TLS 1.0 y 1.1 (puerto 443). 
Extracto del artículo 000022527.
● Unity OE 5.1 y arreglos posteriores en el uso del siguiente comando:Muestre la configuración actual con el comando:
 

uemcli -u admin -password <Your Password> /sys/security show

Deshabilite TLS 1.0 y 1.1 estableciendo -tlsMode TLSv1.2:

uemcli -u admin -password <Your Password> /sys/security set -tlsMode TLSv1.2

Ejemplo de cambio de TLSv1.0 a TLSv1.2 (Port443):

XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security show
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS mode              = TLSv1.0 and above
      Restricted shell mode = enabled

XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security set -tlsMode TLSv1.2
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

Please refer to the Security Configuration Guide for backward compatibility.
This change may impact running operations (e.g. replication) and the management services will be automatically restarted for the change to take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.

XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security show
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS mode              = TLSv1.2 and above　　<<<
      Restricted shell mode = enabled

En caso de que el arreglo ejecute OE 4.3 a 5.0, deshabilite TLS 1.0 (puerto 443) mediante el siguiente comando:
Muestre la configuración actual con el comando: 

uemcli -u admin -password <Your Password> /sys/security show -detail

Deshabilite TLS 1.0 con el comando: 

uemcli -u admin -password <Your Password> /sys/security set -tls1Enabled no

Habilite TLS 1.2 con el comando: 

uemcli -u admin -password <Your Password> /sys/security -tlsMode TLSv1.2

Ejemplo de cambio de TLSv1.0 a TLSv1.2 (puerto 443): 

XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security show -detail
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS 1.0 mode          = enabled
      TLS mode              = TLSv1.0 and above
      Restricted shell mode = enabled

XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security set -tlsMode TLSv1.2
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

Please refer to the Security Configuration Guide for backward compatibility.
This change may impact running operations (e.g. replication) and the management services will be automatically restarted for the change to take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.

XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security show -detail
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS 1.0 mode          = disabled               <<<
      TLS mode              = TLSv1.2 and above　　 <<<
      Restricted shell mode = enabled

Nota: El siguiente "Código de error:
0x1000302" puede aparecer inmediatamente después de cambiar la configuración.
Si se produce un error, intente ejecutar el comando nuevamente después de aproximadamente 5 minutos.

Operation failed. Error code: 0x1000302
Remote server is not available. Please contact server support (Error Code:0x1000302)