Dell Unity: Nessus Full Safe Vulnerability Security Scan TLS versione 1.0 Rilevamento del protocollo (correggibile dall'utente)

Articolo seguito in precedenza 000022527 
Dell Unity: Come disabilitare TLS 1.0 e 1.1 sull'array Unity (correggibile dall'utente).  Tuttavia, lo scanner di vulnerabilità (Nessus) ha rilevato una vulnerabilità TLS sulla porta 5085.
Vulnerabilità rilevate:https://www.tenable.com/plugins/nessus/104743
Plugin:

104743 Nome del plug-in: Porta di rilevamento
del protocollo TLS versione 1.0: Output del plug-in 5085
: TLSv1 è abilitato e il server supporta almeno una crittografia.
Sinossi: Il servizio remoto crittografa il traffico utilizzando una versione precedente di TLS.
Soluzione: Abilita il supporto per TLS 1.2 e 1.3 e disabilita il supporto per TLS 1.0.

Il comando "uemcli -u admin -password <Your Password> /sys/security set -tlsMode TLSv1.2" disabilita solo la porta 443.
Se si desidera disabilitare la porta 5085, è necessario utilizzare l'opzione "-param" nel comando svc_nas.

Disabilitare TLS 1.0 e 1.1 (porta 5085) utilizzando la seguente procedura:
1. Controllare le impostazioni correnti.

svc_nas ALL -param -facility ssl -info protocol -v

2. Modificare il valore in "4" = TLSv1.2 e versioni successive".

svc_nas ALL -param -facility ssl -modify protocol -value 4

3. Verificare che il current_value sia stato modificato in "4" =TLSv1.2 e versioni successive.

svc_nas ALL -param -facility ssl -info protocol -v

4. Riavviare gli storage processor uno alla volta.
Interfaccia utente (Unisphere):
attività di servizio>>> SYSTEM>>>>>>(Storage Processor X) Selezionare Reboot e cliccare su Execute.

CLI:

svc_shutdown --reboot [spa | spb] 

5. Verificare che il current_value sia stato modificato in "4"=TLSv1.2 e versioni successive.

Example of changing from TLSv1.0 to TLSv1.2 (Port 5085):

1. Check the current settings.
XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v

name                    = protocol
facility_name           = ssl
default_value           = 2   <<<
current_value           = 2   <<<
configured_value        =     <<<
param_type              = global
user_action             = reboot SP
change_effective        = reboot SP
range                   = (0,4)
description             = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above

2. Change the value to "4" = TLSv1.2 and above".
XXXXX spa:~/user# svc_nas ALL -param -facility ssl -modify protocol -value 4

SPA : done

Warning 17716815750: SPA : You must reboot the SP for protocol changes to take effect.
SPB : done
 
Warning 17716815750: SPB : You must reboot the SP for protocol changes to take effect.

3. Confirm that the configured_value has been changed to "4"=TLSv1.2 and above.
XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v

SPA :
name                    = protocol
facility_name           = ssl
default_value           = 2
current_value           = 2　　<<<<　current_value is changed after restart
configured_value        = 4　　<<<<
param_type              = global
user_action             = reboot SP
change_effective        = reboot SP
range                   = (0,4)
description             = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above

4. Reboot Storage Processor (both SPs alternately).

5. Confirm that the current_value has been changed to "4"=TLSv1.2 and above.

XXXXX spa:~/user# svc_nas ALL -param -facility ssl -info protocol -v

SPA :
name                    = protocol
facility_name           = ssl
default_value           = 2
current_value           = 4　　<<<< 
configured_value        = 4
param_type              = global
user_action             = reboot SP
change_effective        = reboot SP
range                   = (0,4)
description             = Set the supported SSL/TLS protocols. Possible values are: 0=all SSL/TLS protocols are allowed, 1=SSLv3 and above, 2=TLSv1.0 and above, 3=TLSv1.1 and above, 4=TLSv1.2 and above

Disabilitare TLS 1.0 e 1.1 (porta 443). 
Estratto dall'articolo 000022527.
● Array Unity OE 5.1 e versioni successive utilizzando il comando seguente: Mostrare le impostazioni correnti con il comando:
 

uemcli -u admin -password <Your Password> /sys/security show

Disabilitare TLS 1.0 e 1.1 impostando -tlsMode TLSv1.2:

uemcli -u admin -password <Your Password> /sys/security set -tlsMode TLSv1.2

Esempio di modifica da TLSv1.0 a TLSv1.2 (Port443):

XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security show
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS mode              = TLSv1.0 and above
      Restricted shell mode = enabled

XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security set -tlsMode TLSv1.2
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

Please refer to the Security Configuration Guide for backward compatibility.
This change may impact running operations (e.g. replication) and the management services will be automatically restarted for the change to take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.

XXXXX spa:~/user# uemcli -u admin -p Password123# /sys/security show
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS mode              = TLSv1.2 and above　　<<<
      Restricted shell mode = enabled

Nel caso in cui l'array esegua OE da 4.3 a 5.0, disabilitare TLS 1.0 (porta 443) utilizzando il comando seguente:Mostrare le impostazioni correnti con il comando:
 

uemcli -u admin -password <Your Password> /sys/security show -detail

Disabilitare TLS 1.0 con il comando: 

uemcli -u admin -password <Your Password> /sys/security set -tls1Enabled no

Abilitare TLS 1.2 con il comando: 

uemcli -u admin -password <Your Password> /sys/security -tlsMode TLSv1.2

Esempio di modifica da TLSv1.0 a TLSv1.2 (porta 443): 

XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security show -detail
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS 1.0 mode          = enabled
      TLS mode              = TLSv1.0 and above
      Restricted shell mode = enabled

XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security set -tlsMode TLSv1.2
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

Please refer to the Security Configuration Guide for backward compatibility.
This change may impact running operations (e.g. replication) and the management services will be automatically restarted for the change to take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.

XXXXX spa:~/user# uemcli -u admin -password Password123# /sys/security show -detail
Storage system address: 127.0.0.1
Storage system port: 443
HTTPS connection

1:    FIPS 140 mode         = disabled
      TLS 1.0 mode          = disabled               <<<
      TLS mode              = TLSv1.2 and above　　 <<<
      Restricted shell mode = enabled

Nota: il seguente "Codice errore:
0x1000302" potrebbe essere visualizzato immediatamente dopo aver modificato le impostazioni.
Se si verifica un errore, provare a eseguire nuovamente il comando dopo circa 5 minuti.

Operation failed. Error code: 0x1000302
Remote server is not available. Please contact server support (Error Code:0x1000302)