Skip to main content

Tutorial: Select the SSL and TLS Levels on the Web Server

Abstract

You can adjust the SSL and TLS levels Access Server uses for the hosted web services.

Overview

You can adjust the TLS settings for the Access Server web server from the Admin Web UI or command-line interface (CLI).

Prerequisites

  • An installed Access Server.

  • Admin Web UI access or console access with root privileges.

Option 1: Adjust the TLS level from the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Configuration > TLS Settings.

  3. Scroll down to TLS options for Web Server.

  4. Select your desired protocol version (the default is TLS 1.2).

  5. Important

    When you change the TLS level, this requires restarting the server.

Option 2: Adjust the TLS level from the CLI

  1. Connect to the console and get root privileges.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/

  3. List the current TLS level:

    ./sacli ConfigQuery | grep -i "cs.tls_version_min"

    • If nothing displays, the cs.tls_version_min configuration key uses the default value, TLS 1.2.

      Tip

      In Access Server version 2.9.1 through the final 2.x release before 3.0.0, the cluster API on TCP 945 has a separate configuration key for setting the minimum TLS version: ssl_api.tls_version_min.

      By default, it inherits the value from the main web services (cs.tls_version_min), but it can be configured independently.

      Starting with Access Server 3.0.0, the cluster API no longer uses TCP 945, and the ssl_api.tls_version_min key is no longer used. Cluster communication now shares the web service port on TCP 943 and follow the same TLS settings.

  4. Set the web services minimum requirement of TLS 1.3 or higher:

    ./sacli --key "cs.tls_version_min" --value "1.2"1 ConfigPut
./sacli start

    1

    Valid values for the cs.lts_version_min configuration key are:

    • 1.0: require TLs 1.0 or higher.

    • 1.1: require TLS 1.1 or higher.

    • 1.2: require TLS 1.2 or higher.

    • 1.3: require TLs 1.3 or higher.

    Important

    The OpenSSL library that comes with the operating system on which your Access Server is installed must support the selected value. On older operating systems, OpenSSL did not yet support TLS 1.3, so it will not function on those platforms. On newer operating systems, OpenSSL automatically upgrades TLS 1.0 and TLS 1.1 to TLS 1.2.

  5. Reset the minimum TLS level settings to default by deleting the configuration keys:

    ./sacli --key "cs.tls_version_min" ConfigDel
./sacli --key "ssl_api.tls_version_min" ConfigDel
./sacli start
In this section: