HPE OneView

Disable TLS v1.1 without going for CNSA cryptography mode

 
SOLVED
Go to solution
Manu
Occasional Contributor

Disable TLS v1.1 without going for CNSA cryptography mode

Hello,

Changing to CNSA cryptograpy has numerous consequences, which we might not be able to cope with.

On OneView 5.40, is there an alternate way to disable TLS v1.1 ?

I could not find any in the documentation I went through, but I have to ask.

Thanks for your support

 

5 REPLIES 5
ChrisLynch
HPE Pro
Solution

Re: Disable TLS v1.1 without going for CNSA cryptography mode

Yes.  This is currently controlled by REST API calls.  We provide a PowerShell Cmdlet that can get the configuration (Get-OVApplianceSecurityProtocol ) and change it (Set-OVApplianceSecurityProtocol ).

 
 
 
 

I am an HPE employee

Accept or Kudo

Manu
Occasional Contributor

Re: Disable TLS v1.1 without going for CNSA cryptography mode

Hello, by disabling TLSv1.1 without going to CNSA.

We would still have available all the cyphers/keyexchange available in FIPS ?

Is there anything else that is removed/disabled when disabling TLSv1.1 using Set-OVApplianceSecurityProtocol ?

Tks

ChrisLynch
HPE Pro

Re: Disable TLS v1.1 without going for CNSA cryptography mode

You can only change the TLS mode of the appliance with that Cmdlet.  If you need to also change the crypto ciphers, you need to change the cryptography mode from Legacy to FIPS or CNSA.


I am an HPE employee

Accept or Kudo

FrediCocon
New Member

Re: Disable TLS v1.1 without going for CNSA cryptography mode

Hello 

Thanks for your help

Is there any risk in changing the cryptography to FIPS mode? Is there any effect on the oneview configuration? or the change is transparent?

Thanks

ChrisLynch
HPE Pro

Re: Disable TLS v1.1 without going for CNSA cryptography mode

Changing the appliance cryptography mode does have impact to the appliance and the devices and services it can connect to.  I would suggest you review the User Guide ("Cryptography mode settings" chapter)  on the various modes and potential impact.


I am an HPE employee

Accept or Kudo