Enabling or Disabling TLS v1.2
Beginning with release 4.2(2a), Cisco IMC supports disabling TLS v1.2 and also customize the cipher values for both v1.2 and v1.3.
Before you begin
If CC (Common Criteria) under Security Configuration is enabled, you cannot disable TLS v1.2. Ensure that CC is disabled before you disable TLS v1.2.
Enabling or disabling TLS v1.2, restarts vKVM, Webserver, XML API, and Redfish API sessions.
Procedure
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
Server# scope cimc |
|||
Step 2 |
Server# scope tls-config |
Enters the TLS configuration mode. |
||
Step 3 |
Server/tls-config # set tlsv2Enabled yes|no |
Enter y to confirm. Enables or Disables TLS v1.2. |
||
Step 4 |
Server/tls-config* # Commit |
Saves the changes. |
||
Step 5 |
Server/tls-config # set tlsv2CipherMode Custom|High|Low|Medium |
Selecting High, Low, or Medium automatically provides preset cipher values. |
||
Step 6 |
(Optional) Server/tls-config # set tlsv2CipherMode Custom Cipher_Value |
(Optional)
Enter a valid cipher value for Custom cipher mode.
If the cipher value entered is invalid or unsupported, then while saving the configuration, Cisco IMC automatically changes the TLS v1.2 Cipher Mode value to High and saves the configuration. You may see the following status: TLS v1.2 Custom Cipher Status: Error: Configuring an invalid or unsupported TLS v1.2 Cipher List-'Cipher_Name'. Setting TLS v1.2 Cipher Mode to High. |
||
Step 7 |
Server/tls-config* # Commit |
Saves the changes. |
Example
Following example shows how to enable TLS v1.2 and set cipher mode to high:
Server# scope cimc
Server /cimc # scope tls-config
Server /cimc/tls-config # set tlsv2Enabled yes
Server /cimc/tls-config* # commit
Server /cimc/tls-config # set tlsv2CipherMode high
Server /cimc/tls-config* # commit
Following example shows how to enable TLS v1.2 and set cipher mode to custom:
server# scope cimc
server /cimc # scope tls-config
server /cimc/tls-config # set tlsv2CipherMode Custom
server /cimc/tls-config *# set tlsv2CipherList ECDHE-RSA-AES256-GCM-SHA384
server /cimc/tls-config *# commit