Disable http and TLS 1.0

[dudu2030]

i am a newbie here, please how can I disable HTTP and TLS 1.0 (either by CLI or GUI) ?
i am aware traffic could've redirected from HTTP to HTTPS, I would like to disable HTTP completely if possible
security guys also complained about the following being open:
TCP/22 OpenSSH server 7.9

I have just upgraded to 11.3 - U5 .. but not sure if that automatically solves my problem

any help will be appreciated

thank you

 

[seanm]

FreeNAS 11.3 doesn't have any UI to disable old TLS, but 12.0 does, see: https://jira.ixsystems.com/browse/NAS-101010

SSH you can turn off from Services > SSH.

I'm not aware of any way to totally disable http and get port 80 closed, but I like the idea, and just created a ticket: https://jira.ixsystems.com/browse/NAS-109745

If you're so worried about security though, why are you running 11 and not 12?

 

[dudu2030]

FreeNAS 11.3 doesn't have any UI to disable old TLS, but 12.0 does, see: https://jira.ixsystems.com/browse/NAS-101010

SSH you can turn off from Services > SSH.

I'm not aware of any way to totally disable http and get port 80 closed, but I like the idea, and just created a ticket: https://jira.ixsystems.com/browse/NAS-109745

If you're so worried about security though, why are you running 11 and not 12?

TLS 1.0 and 1.1 was automatically disabled after upgrading to 12.0
problem solved
thank you Seanm

 

[dudu2030]

H--e--l--p
Backup to Freenas failed after moving to 12.0
I cam clueless right now

error from console
freenas lock order reversal
freenas 1st 0xfffff8017d0592e8 dl ->dl_lock ... @ /workdirs/usr/ports/systeutils/openzfs-kmod/work/zfs-b74f7bc59/module/zfs/dsl_deadlist.c:454
freenas 2nd 0xfffff8017d06ab38 dn->dn_dbufs_mtx ... @ /wrkdirs/usr/ports/sysutils/openzfs-knod/work/zfs-b74f7bc59/module/zfs/dbuf.c:2734

freenas stack backtrace
etc

 

[Patrick M. Hausen]

Kernel panic. You need to reboot. Not in any way related to TLS ...

 

[ciscoguy]

H--e--l--p
Backup to Freenas failed after moving to 12.0
I cam clueless right now

error from console
freenas lock order reversal
freenas 1st 0xfffff8017d0592e8 dl ->dl_lock ... @ /workdirs/usr/ports/systeutils/openzfs-kmod/work/zfs-b74f7bc59/module/zfs/dsl_deadlist.c:454
freenas 2nd 0xfffff8017d06ab38 dn->dn_dbufs_mtx ... @ /wrkdirs/usr/ports/sysutils/openzfs-knod/work/zfs-b74f7bc59/module/zfs/dbuf.c:2734

freenas stack backtrace
etc

my SFTP back also failed after upgrading from 11.3 to 12.0. did you find a solution

usually my cisco Call manager backs up on Freenas every night. no successful backup since the upgrade.
possibly, the version of OS (11.5 ) on the cisco machine doesn't support TLS 1.2

the error from freenas is
"unable to negotiate with [IP of Cisco] no matching key exchange method found,"
"their offer diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1"

 

[Patrick M. Hausen]

the error from freenas is
"unable to negotiate with [IP of Cisco] no matching key exchange method found,"
"their offer diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1"

Navigate to Services, edit the SSH service, click on Advanced Options.
In the field Auxiliary Parameters enter: KexAlgorithms +diffie-hellman-group14-sha1
Restart SSH service.

That should fix it.

 

[ciscoguy]

thanks for the response .. it seems Diffie-hellam-group14-sha1 is there already
although the line doesn't start with "KexAlgorithms"
should i include it ?

 

[Patrick M. Hausen]

Did you put that line in there? Normally this field is empty.
Your Cisco is complaining about the key exchange. So you should put another line like I suggested in there.

 

[ciscoguy]

Did you put that line in there? Normally this field is empty.
Your Cisco is complaining about the key exchange. So you should put another line like I suggested in there.

Thank you Patrick .. problem Solved
i don't know how the previous line got there... found it there after 12.0 update.
well, i removed it and replaced it with the line you provided. now my cisco backup works.
THANK YOU

i still have a lot to learn about ciphers