Disable TLS v1.0 and 1.1

[bnash]

I have installed FreeNAS-11.3-U2.1 with no issues. Works great. Then I ran a Nessus scan for security. It came back with two issues. TLS Version 1.0 Protocol Detection and TLS Version 1.1 Protocol Detection. I have not been able to figure out how to disable this and only use TLS version 1.2. Any help would be great.

 

[danb35]

I have not been able to figure out how to disable this and only use TLS version 1.2.

I'm not aware of any way to change the web server settings for this, and I'm also not aware of any situation in which it would matter for a properly-deployed FreeNAS server. But if it's important to you, submit a ticket using the "Report a Bug" link at the top of the page.

 

[bnash]

I have opened a bug report on this. Just trying to keep my network secure. "The PCI Council suggested that organizations migrate from TLS 1.0 to TLS 1.1 or higher before June 30, 2018.[23][24] In October 2018, Apple, Google, Microsoft, and Mozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020."

 

[garm]

Yes, that is true, but weighing threats is also important. If someone is able to reach you internal network and access traffic to a properly secured FreeNAS, you have way bigger issues then TLS 1.0

 

[bnash]

The issue is not if they get in, but when they do. I work in the financial industry. So security scans are part of our normal work. Once a device is found to have an issue. We then have to determine how to fix it. That is what I'm doing now.

 

[proto]

I have not been able to figure out how to disable this and only use TLS version 1.2

you can edit /usr/local/etc/nginx/nginx.conf and restart nginx.

Code:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

comment out TLSv1 and you are compliant.

this modified conf won't survive a restart/update... but will pass my internal tests (sslscan + testssl.sh).

 

[bnash]

I have changed the line to "ssl_protocols TLSv1.2;" then changed to /usr/local/etc/rc.d "service nginx restart" The service restarts, but I can't log back in on https. We block http by default. It keeps telling me "Problem loading page"

Any thoughts would be great.

 

[Yorick]

"Works here" - check whether you maybe made a change to nginx.conf you didn't mean to make. Edited on-box via ee or vi, I presume?

 

[proto]

I have changed the line to "ssl_protocols TLSv1.2;" then changed to /usr/local/etc/rc.d "service nginx restart" The service restarts, but I can't log back in on https. We block http by default. It keeps telling me "Problem loading page"

Any thoughts would be great.

umm... it could be the cache. Check /tmp/nginx-access.log too.

But it's working in TLSv1.2 only as well in v1.1. Below output is from sslscan test:

Code:

  Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 2048 bits
[...]
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256

 

[bnash]

OK, here is the issue. You can't use the GUI shell to run the CMD "service nginx restart" If I run that from the FreeNAS server all is well. Now I have a workaround until ixSystems understands the issue. I want to say thank you for the help.

 

[Yorick]

TrueNAS Core 12.0 Nightly 0506

 

[danb35]

You can't use the GUI shell to run the CMD "service nginx restart"

...or do anything else useful. Better to just forget it's there.

 

[seanm]

I have opened a bug report on this

There's been one for a while: https://jira.ixsystems.com/browse/NAS-101010