TLS vulnerability reported in security scan even though the specified TLS version is disabled
Applies to
- ONTAP 9
- Transport Layer Security (TLS)
- Qualys ID 38794
Issue
- A security scan report shows vulnerability for an IP in the cluster stating an older TLS version is enabled:
vulnerability(ies): Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server Supports Transport Layer Security (TLSv1.1)
- However, from the cluster, that TLS version is not seen:
Cluster::> set advanced
Cluster::*> security config show -fields supported-protocols
interface supported-protocols
--------- -------------------
SSL TLSv1.2, TLSv1.3
- The nmap output for the affected IP from a Linux host lists the ciphers for the older TLS version:
Linux@Host# nmap -sV --script ssl-enum-ciphers.nse -p 443 10.XX.XX.XXX
Starting Nmap 5.51 ( http://nmap.org ) at 2023-05-17 09:12 PDT
Nmap scan report for user.group.com (10.XX.XX.XXX)
Host is up (0.0011s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd
| ssl-enum-ciphers:
| TLSv1.1
| Ciphers (4)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA
| Compressors (1)
| uncompressed
| TLSv1.2
| Ciphers (12)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| .......