HPE Community
HPE OneView
1753519 Members
5033 Online
108795 Solutions
New Discussion

Re: Disable TLS v1.1 without going for CNSA cryptography mode

 
SOLVED
Go to solution
Manu
Occasional Contributor

‎02-08-2021 02:52 AM - edited ‎02-08-2021 03:30 AM

‎02-08-2021 02:52 AM - edited ‎02-08-2021 03:30 AM

Disable TLS v1.1 without going for CNSA cryptography mode

Hello,

Changing to CNSA cryptograpy has numerous consequences, which we might not be able to cope with.

On OneView 5.40, is there an alternate way to disable TLS v1.1 ?

I could not find any in the documentation I went through, but I have to ask.

Thanks for your support

 

0 Kudos
Reply
5 REPLIES 5
ChrisLynch
HPE Pro

‎02-08-2021 07:57 AM

‎02-08-2021 07:57 AM

Solution

Re: Disable TLS v1.1 without going for CNSA cryptography mode

Yes.  This is currently controlled by REST API calls.  We provide a PowerShell Cmdlet that can get the configuration (Get-OVApplianceSecurityProtocol ) and change it (Set-OVApplianceSecurityProtocol ).

 
 
 
 

I am an HPE employee

Accept or Kudo

Reply
Manu
Occasional Contributor

‎02-10-2021 02:32 AM

‎02-10-2021 02:32 AM

Re: Disable TLS v1.1 without going for CNSA cryptography mode

Hello, by disabling TLSv1.1 without going to CNSA.

We would still have available all the cyphers/keyexchange available in FIPS ?

Is there anything else that is removed/disabled when disabling TLSv1.1 using Set-OVApplianceSecurityProtocol ?

Tks

0 Kudos
Reply
ChrisLynch
HPE Pro

‎02-10-2021 07:03 AM

‎02-10-2021 07:03 AM

Re: Disable TLS v1.1 without going for CNSA cryptography mode

You can only change the TLS mode of the appliance with that Cmdlet.  If you need to also change the crypto ciphers, you need to change the cryptography mode from Legacy to FIPS or CNSA.


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
FrediCocon
Occasional Contributor

‎11-08-2021 06:40 AM

‎11-08-2021 06:40 AM

Re: Disable TLS v1.1 without going for CNSA cryptography mode

Hello 

Thanks for your help

Is there any risk in changing the cryptography to FIPS mode? Is there any effect on the oneview configuration? or the change is transparent?

Thanks

0 Kudos
Reply
ChrisLynch
HPE Pro

‎11-08-2021 06:56 AM

‎11-08-2021 06:56 AM

Re: Disable TLS v1.1 without going for CNSA cryptography mode

Changing the appliance cryptography mode does have impact to the appliance and the devices and services it can connect to.  I would suggest you review the User Guide ("Cryptography mode settings" chapter)  on the various modes and potential impact.


I am an HPE employee

Accept or Kudo

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.