Custom TLS Settings
Since IP Fabric version
v5.0, the only supported TLS version is set to
for increased security. Some older browser or proxies may not support
this and will require manual intervention to re-enable the older TLS version.
For example, Splunk
does not currently support
TLSv1.3 which means any integration where Splunk
directly talks to an IP Fabric instance, an older TLS version must be re-enabled.
Any action on the CLI as the
autoboss user may severely damage the product and/or the system itself. Such actions taken without direct communication with the IP Fabric Support or Solution Architect teams can render the system unusable.
IP Fabric Updates
Once this file has changed, it will not be updated during an IP Fabric
system upgrade. A new version of the file named
will be placed in that directory. There may be other changes which could
affect the usability of the product. Please follow the
After Upgrade Instructions.
To re-enable an older version of TLS, please perform the following:
- Log into the IP Fabric CLI using the
- Elevate to root using the
/etc/nginx/conf.d/ipf-ssl-params.confwith your preferred editor.
- Change the first line of the configuration by adding other TLS versions separated by spaces:
ssl_protocols TLSv1.2 TLSv1.3;
- Save the file and restart the
systemctl restart nginx.
Other TLS Settings
It is possible to adjust other TLS settings such as ciphers using the same instructions. However, only re-enabling TLSv1.2 has been tested by the Solution Architect team.
After IP Fabric System Update
After an IP Fabric system update, it is recommended to check that no new updates to this file have been made. Because the file has been customized by the user, the update will not override it and will instead create a new file with the updated version.
Below you will find an example on how to check if a new version of the
configuration file is added and how to perform a diff. If changes other than
your own have been discovered, please make the necessary updates and
root@ipfabric:/home/osadmin# ls /etc/nginx/conf.d/ipf-ssl-params.dpkg-new /etc/nginx/conf.d/ipf-ssl-params.dpkg-new root@ipfabric:/home/osadmin# diff -y /etc/nginx/conf.d/ipf-ssl-params.conf /etc/nginx/conf.d/ipf-ssl-params.dpkg-new ssl_protocols TLSv1.2 TLSv1.3; | ssl_protocols TLSv1.3; ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on; ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ecdh_curve secp384r1; ssl_ecdh_curve secp384r1; ssl_session_timeout 10m; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_session_tickets off; ssl_stapling on; ssl_stapling on; ssl_stapling_verify on; ssl_stapling_verify on; gzip off; gzip off;