Since IP Fabric 5.0, the only TLS (Transport Layer Security) version supported
by default is 1.3. TLSv1.3 brings many improvements over TLSv1.2, such as
stronger encryption, a simplified handshake, perfect forward secrecy, fewer
round trips, and improved performance. Some older web browsers or proxies may
not support the latest version, and older TLS version may need to be re-enabled
in IP Fabric.
For example,
Splunk
does not currently support TLSv1.3, meaning that any integration between these
systems may not be operational without re-enabling an older TLS version.
Warning
Any action on the Command-Line Interface (CLI) using the root, osadmin,
or autoboss account may cause irreversible, detrimental changes to the
product. Actions taken without direct communication with the IP Fabric
Support or Solution Architect teams can render the system unusable.
How To Re-Enable Older TLS Version
To re-enable an older version of TLS, follow these steps:
Log in to the IP Fabric CLI as the osadmin user.
Switch to root: sudo su -
Edit the TLS configuration file /etc/nginx/conf.d/ipf-ssl-params.conf with
your preferred editor.
Modify the first line of the configuration file by adding other TLS versions
separated by spaces:
Original: ssl_protocols TLSv1.3;
Updated: ssl_protocols TLSv1.2 TLSv1.3;
Save the file and restart the nginx service: systemctl restart nginx.
Make sure that nginx is reactivated: systemctl status nginx
During a system upgrade, the TLS configuration file will not sustain any
changes. This is because the main configuration file is part of the system
image and is overwritten when the upgrade is applied. Therefore, it is
important to save any desired changes in a separate file before proceeding
with the upgrade.
Other TLS Settings
It is possible to adjust other TLS settings, such as ciphers, using the
instructions above. However, only re-enabling TLSv1.2 has been tested by the
Solution Architect team.
After IP Fabric System Upgrade
After an IP Fabric system upgrade, we recommend to check that no new updates to
this file have been made. Because the user has customized the file, the update
will not override it and instead create a new file with the updated version.
Below, you will find an example of how to check if a new version of the
configuration file is added and how to perform a diff. If changes other than
your own have been discovered, please make the necessary updates and restart the
nginx service.