Enabling TLS 1.1 or Earlier for the Cisco Nexus Fabric Manager

About Enabling TLS for the Cisco Nexus Fabric Manager

Because of known security weaknesses with TLS 1.1 and earlier releases, TLS 1.2 is enabled by default. This section explains how you can disable TLS 1.2 and re-enabled TLS 1.1 or earlier.

Enabling TLS 1.1 and Earlier

This section explains how to enable TLS 1.1 and earlier in the Apache configuration.


    Step 1   Using an SSH client, log in to the Cisco Nexus Fabric Manager appliance host (root).
    Step 2   Stop the Cisco Nexus Fabric Manager service by entering the following:
    # service esm stop 
    Step 3   Edit the following as appropriate:
    etc/apache2/vhosts.d/esmui.conf.base
    Step 4   Replace the lines in the left column with the lines in the right column of the Text Replacement table below.
    Table 1 Text Replacement

    Original Text

    Replacement Text

    SSLProtocol all -SSLv2 -SSLv3 SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
    ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
    RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-
    SHA256:ECDHE-RSA-AES128-SHA256
    
    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-
    CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-
    GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-
    SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-
    ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
    SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-
    SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-
    SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-
    SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-
    SHA256:AES128-SHA:AES256-SHA:!DSS 
    Step 5   Restart the Cisco Nexus Fabric Manager by entering the following:
    # service esm stop 

    What to Do Next

    The Cisco Nexus Fabric Manager will now start with TLS 1.1 or earlier enabled in the Apache configuration.