Dell Unity: Detecção do protocolo TLS versão 1.0 da vulnerabilidade totalmente segura do Nessus Vulnerability Security Scan (corrigível pelo usuário)

Artigo seguido anteriormente 000022527 
Dell Unity: Como desativar o TLS 1.0 e 1.1 no array do Unity (pode ser corrigido pelo usuário).  No entanto, o scanner de vulnerabilidades (Nessus) detectou uma vulnerabilidade de TLS na porta 5085.
Vulnerabilidades detectadas:
plug-in https://www.tenable.com/plugins/nessus/104743
:
104743 Nome do plug-in: Protocolo TLS versão 1.0 Porta de detecção
: Resultado do plug-in 5085
: O TLSv1 está ativado e o servidor suporta pelo menos uma cifra.
Sinopse: O serviço remoto criptografa o tráfego usando uma versão mais antiga do TLS.
Solução: Ative o suporte para TLS 1.2 e 1.3 e desative o suporte para TLS 1.0.

O comando "uemcli -u admin -password <Your Password> /sys/security set -tlsMode TLSv1.2" desativa apenas a porta 443.
Se você quiser desativar a porta 5085, use a opção "-param" no comando svc_nas.

Desative o TLS 1.0 e 1.1 (porta 5085) usando as etapas abaixo:
1. Verifique as configurações atuais.

svc_nas ALL -param -facility ssl -info protocol -v

2. Altere o valor para "4" = TLSv1.2 e superior".

svc_nas ALL -param -facility ssl -modify protocol -value 4

3. Confirme se o current_value foi alterado para "4" =TLSv1.2 e superior.

svc_nas ALL -param -facility ssl -info protocol -v

4. Reinicialize as controladoras de armazenamento, uma de cada vez.
UI (Unisphere):
SYSTEM >>>Service>>>Tasks >>> (Storage Processor X) Selecione Reboot e clique em Execute.

CLI:

svc_shutdown --reboot [spa | spb] 

5. Confirme se o current_value foi alterado para "4"=TLSv1.2 e superior.

Example of changing from TLSv1.0 to TLSv1.2 (Port 5085):

1. Check the current settings.
XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v

name                    = protocol
facility_name           = ssl
default_value           = 2   <<<
current_value           = 2   <<<
configured_value        =     <<<
param_type              = global
user_action             = reboot SP
change_effective        = reboot SP
range                   = (0,4)
description             = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above

2. Change the value to "4" = TLSv1.2 and above".
XXXXX spa:~/user# svc_nas ALL -param -facility ssl -modify protocol -value 4

SPA : done

Warning 17716815750: SPA : You must reboot the SP for protocol changes to take effect.
SPB : done
 
Warning 17716815750: SPB : You must reboot the SP for protocol changes to take effect.

3. Confirm that the configured_value has been changed to "4"=TLSv1.2 and above.
XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v

SPA :
name                    = protocol
facility_name           = ssl
default_value           = 2
current_value           = 2　　<<<<　current_value is changed after restart
configured_value        = 4　　<<<<
param_type              = global
user_action             = reboot SP
change_effective        = reboot SP
range                   = (0,4)
description             = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above

4. Reboot Storage Processor (both SPs alternately).

5. Confirm that the current_value has been changed to "4"=TLSv1.2 and above.

XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v

SPA :
name                    = protocol
facility_name           = ssl
default_value           = 2
current_value           = 4　　<<<< 
configured_value        = 4
param_type              = global
user_action             = reboot SP
change_effective        = reboot SP
range                   = (0,4)
description             = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above

Desative o TLS 1.0 e 1.1 (porta 443). 
Trecho do artigo 000022527.
● Arrays do Unity OE 5.1 e posteriores no usando o comando abaixo:Mostrar as configurações atuais com o comando:
 

uemcli -u admin -password <Your Password> /sys/security show

Desative o TLS 1.0 e 1.1 configurando -tlsMode TLSv1.2:

uemcli -u admin -password <Your Password> /sys/security set -tlsMode TLSv1.2

Exemplo de alteração do TLSv1.0 para o TLSv1.2(Port443):

XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security show
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS mode              = TLSv1.0 and above
      Restricted shell mode = enabled

XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security set -tlsMode TLSv1.2
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

Please refer to the Security Configuration Guide for backward compatibility.
This change may impact running operations (e.g. replication) and the management services will be automatically restarted for the change to take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.

XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security show
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS mode              = TLSv1.2 and above　　<<<
      Restricted shell mode = enabled

Caso o array esteja executando o OE 4.3 a 5.0, desative o TLS 1.0 (porta 443) usando o comando abaixo: Mostrar as configurações atuais com o comando:
 

uemcli -u admin -password <Your Password> /sys/security show -detail

Desative o TLS 1.0 com o comando: 

uemcli -u admin -password <Your Password> /sys/security set -tls1Enabled no

Ative o TLS 1.2 com o comando: 

uemcli -u admin -password <Your Password> /sys/security -tlsMode TLSv1.2

Exemplo de alteração do TLSv1.0 para o TLSv1.2 (porta 443): 

XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security show -detail
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS 1.0 mode          = enabled
      TLS mode              = TLSv1.0 and above
      Restricted shell mode = enabled

XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security set -tlsMode TLSv1.2
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

Please refer to the Security Configuration Guide for backward compatibility.
This change may impact running operations (e.g. replication) and the management services will be automatically restarted for the change to take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.

XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security show -detail
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS 1.0 mode          = disabled               <<<
      TLS mode              = TLSv1.2 and above　　 <<<
      Restricted shell mode = enabled

Nota: o seguinte "Código de erro:
0x1000302" pode aparecer imediatamente após a alteração das configurações.
Se ocorrer um erro, tente executar o comando novamente após cerca de 5 minutos.

Operation failed. Error code: 0x1000302
Remote server is not available. Please contact server support (Error Code:0x1000302)