Hi,
Currently (2017), only TLSv1.2 is considered secure, and any lower security protocol will be red flagged by PCI-DSS scanners.
To configure TLSv1.2, I do:
Change /etc/default_config/apache-sys-proxy-ssl.conf.tplt with:
SSLProtocol -all +TLSv1.2
and /etc/init.d/stunnel.sh restart
But the Apache proxy does not restart with that option.
I have to leave the TLSv1.0 to get the https working.
TLSv1.2 is quite old now. How can we configure the management interface to only use TLSv1.2?
Thanks,
How to disable insecure SSL protocols
-
- New here
- Posts: 3
- Joined: Wed Feb 08, 2017 11:14 pm
-
- Been there, done that
- Posts: 855
- Joined: Thu Mar 26, 2015 12:36 am
- Location: somewhere in EU
Re: How to disable insecure SSL protocols
Qnap TS-253Pro 16Gb RAM - Single Storage Pool: 2 WRed 4TB (RAID 1)
Qnap TS-453A 16Gb RAM - Single Storage Pool: 4 WRed 4TB (RAID 5)
Qnap TS-453A 16Gb RAM - Single Storage Pool: 4 WRed 4TB (RAID 5)
- schumaku
- Guru
- Posts: 43578
- Joined: Mon Jan 21, 2008 4:41 pm
- Location: Kloten (Zurich), Switzerland -- Skype: schumaku
- Contact:
Re: How to disable insecure SSL protocols
Try something like...
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
...instead.
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
...instead.
-
- New here
- Posts: 8
- Joined: Mon Aug 08, 2016 8:19 pm
Re: How to disable insecure SSL protocols
I have TS-131 and I already opened a ticket for Qnap to address this issue based on this same principle. But qnap has no plans to raise the TLS version for the ARM based systems.
Intel based systems do have TLS1.2 I believe. This is related with OpenSSL version that is embedded on our systems.
So we'll have to wait for qnap to update OpenSSL version that supports TLS1.2 for ARM processors.
Even if you disable the unsecure protocols using a command like:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
You will have no results because the OpenSSL does not support it unfortunately. This might work fine for x86 based systems.
You can test your system here:
https://www.ssllabs.com/ssltest/
Or internaly on your own NAS with this command:
openssl s_client -** -connect www.domain.com:443
Intel based systems do have TLS1.2 I believe. This is related with OpenSSL version that is embedded on our systems.
So we'll have to wait for qnap to update OpenSSL version that supports TLS1.2 for ARM processors.
Even if you disable the unsecure protocols using a command like:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
You will have no results because the OpenSSL does not support it unfortunately. This might work fine for x86 based systems.
You can test your system here:
https://www.ssllabs.com/ssltest/
Or internaly on your own NAS with this command:
openssl s_client -** -connect www.domain.com:443
- schumaku
- Guru
- Posts: 43578
- Joined: Mon Jan 21, 2008 4:41 pm
- Location: Kloten (Zurich), Switzerland -- Skype: schumaku
- Contact:
Re: How to disable insecure SSL protocols
Appears somebody (QNAP support and/or the OP) are generalising things here - the information provided above is wrong. All QTS 4.2.3 20170121 as released (OpenSSL 1.0.1u 22 Sep 2016) and QTS 4.3.20050 in Beta (OpenSSL 1.0.2j 26 Sep 2016) - AMD based, Intel based, Marvell Kirkwood ARM based, and the AnnapurnaLabs ARM based do connect by TLSv1.2:JNogueira wrote:I have TS-131 and I already opened a ticket for Qnap to address this issue based on this same principle. But qnap has no plans to raise the TLS version for the ARM based systems.
Intel based systems do have TLS1.2 I believe.
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
...
The only exception are the Comcerto 2000 EVM based TS-x31 entry level models (OpenSSL 1.0.0t 3 Dec 2015).
...whereas TLSv1.2 was added way back with 1.0.0h 14 Mar 2012 (Source: https://www.openssl.org/news/openssl-1.0.1-notes.html).JNogueira wrote:This is related with OpenSSL version that is embedded on our systems.
-
- New here
- Posts: 8
- Joined: Mon Aug 08, 2016 8:19 pm
Re: How to disable insecure SSL protocols
Unfortunately my TS-131 is a FreeScale ARMv7 CPU (Comcerto 2000 EVM as you mentioned). So by your explanation this is the reason why I cannot have TLS v1.2
[~] # openssl version
OpenSSL 1.0.0t 3 Dec 2015
This is a recent NAS model from QNAP.
I don't understand why they do this.
[~] # openssl version
OpenSSL 1.0.0t 3 Dec 2015
This is a recent NAS model from QNAP.
I don't understand why they do this.
-
- New here
- Posts: 8
- Joined: Mon Aug 08, 2016 8:19 pm
Re: How to disable insecure SSL protocols
Hi Guys,
As of today I finaly have TLS v1.2 on my QNAP TS-131
Protocols:
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
I will have to find a way to disable TLS v1.0 and v1.1 but this is now very good as it will use by default v1.2 increasing the security.
Well done QNAP but sadly this comes almost 2 years later than the standard for the ARM NAS models.
Cheers all.
As of today I finaly have TLS v1.2 on my QNAP TS-131
Protocols:
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
I will have to find a way to disable TLS v1.0 and v1.1 but this is now very good as it will use by default v1.2 increasing the security.
Well done QNAP but sadly this comes almost 2 years later than the standard for the ARM NAS models.
Cheers all.