Tutorial: Select the SSL and TLS Levels on the Web Server
You can adjust the SSL and TLS levels Access Server uses for the hosted web services.
Overview
You can adjust the TLS settings for the Access Server web server from the Admin Web UI or command-line interface (CLI).
An installed Access Server.
Admin Web UI access or console access with root privileges.
Sign in to the Admin Web UI.
Click Configuration > TLS Settings.
Scroll down to TLS options for Web Server.
Select your desired protocol version (the default is TLS 1.2).
Important
When you change the TLS level, this requires restarting the server.
Connect to the console and get root privileges.
Switch to the scripts directory:
cd /usr/local/openvpn_as/scripts/
List the current TLS level:
./sacli ConfigQuery | grep -i "cs.tls_version_min"
If nothing displays, the cs.tls_version_min configuration key uses the default value, TLS 1.2.
Tip
In Access Server version 2.9.1 through the final 2.x release before 3.0.0, the cluster API on TCP 945 has a separate configuration key for setting the minimum TLS version:
ssl_api.tls_version_min
.By default, it inherits the value from the main web services (
cs.tls_version_min
), but it can be configured independently.Starting with Access Server 3.0.0, the cluster API no longer uses TCP 945, and the
ssl_api.tls_version_min
key is no longer used. Cluster communication now shares the web service port on TCP 943 and follow the same TLS settings.
Set the web services minimum requirement of TLS 1.3 or higher:
./sacli --key "cs.tls_version_min" --value "1.2"1 ConfigPut ./sacli start
Valid values for the cs.lts_version_min configuration key are:
1.0: require TLs 1.0 or higher.
1.1: require TLS 1.1 or higher.
1.2: require TLS 1.2 or higher.
1.3: require TLs 1.3 or higher.
Important
The OpenSSL library that comes with the operating system on which your Access Server is installed must support the selected value. On older operating systems, OpenSSL did not yet support TLS 1.3, so it will not function on those platforms. On newer operating systems, OpenSSL automatically upgrades TLS 1.0 and TLS 1.1 to TLS 1.2.
Reset the minimum TLS level settings to default by deleting the configuration keys:
./sacli --key "cs.tls_version_min" ConfigDel ./sacli --key "ssl_api.tls_version_min" ConfigDel ./sacli start