How to disable insecure SSL protocols

[pivert]

Hi,

Currently (2017), only TLSv1.2 is considered secure, and any lower security protocol will be red flagged by PCI-DSS scanners.

To configure TLSv1.2, I do:
Change /etc/default_config/apache-sys-proxy-ssl.conf.tplt with:
SSLProtocol -all +TLSv1.2
and /etc/init.d/stunnel.sh restart

But the Apache proxy does not restart with that option.

I have to leave the TLSv1.0 to get the https working.
TLSv1.2 is quite old now. How can we configure the management interface to only use TLSv1.2?

Thanks,

[giopas]

Please open a tichet here.

giopas

ps: welcome!

[schumaku]

Try something like...

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

...instead.

[JNogueira]

I have TS-131 and I already opened a ticket for Qnap to address this issue based on this same principle. But qnap has no plans to raise the TLS version for the ARM based systems.
Intel based systems do have TLS1.2 I believe. This is related with OpenSSL version that is embedded on our systems.

So we'll have to wait for qnap to update OpenSSL version that supports TLS1.2 for ARM processors.
Even if you disable the unsecure protocols using a command like:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

You will have no results because the OpenSSL does not support it unfortunately. This might work fine for x86 based systems.
You can test your system here:
https://www.ssllabs.com/ssltest/

Or internaly on your own NAS with this command:
openssl s_client -** -connect www.domain.com:443

[schumaku]

I have TS-131 and I already opened a ticket for Qnap to address this issue based on this same principle. But qnap has no plans to raise the TLS version for the ARM based systems.
Intel based systems do have TLS1.2 I believe.

Appears somebody (QNAP support and/or the OP) are generalising things here - the information provided above is wrong. All QTS 4.2.3 20170121 as released (OpenSSL 1.0.1u 22 Sep 2016) and QTS 4.3.20050 in Beta (OpenSSL 1.0.2j 26 Sep 2016) - AMD based, Intel based, Marvell Kirkwood ARM based, and the AnnapurnaLabs ARM based do connect by TLSv1.2:

...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
...

The only exception are the Comcerto 2000 EVM based TS-x31 entry level models (OpenSSL 1.0.0t 3 Dec 2015).

This is related with OpenSSL version that is embedded on our systems.

...whereas TLSv1.2 was added way back with 1.0.0h 14 Mar 2012 (Source: https://www.openssl.org/news/openssl-1.0.1-notes.html).

[JNogueira]

Unfortunately my TS-131 is a FreeScale ARMv7 CPU (Comcerto 2000 EVM as you mentioned). So by your explanation this is the reason why I cannot have TLS v1.2
[~] # openssl version
OpenSSL 1.0.0t 3 Dec 2015

This is a recent NAS model from QNAP.
I don't understand why they do this.

[JNogueira]

Hi Guys,

As of today I finaly have TLS v1.2 on my QNAP TS-131

Protocols:
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

I will have to find a way to disable TLS v1.0 and v1.1 but this is now very good as it will use by default v1.2 increasing the security.
Well done QNAP but sadly this comes almost 2 years later than the standard for the ARM NAS models.

Cheers all.