SRX Services Gateway
Highlighted
SRX Services Gateway

How to enable TLS for SRX GUI access for the PCI compliance

‎04-15-2019 12:00 AM

Hi

 

How to disable SSL and enable TLS for the SRX GUI HTTPS access, as its needed for the PCI compliance.

"We use a public certificate for the firewall GUI access"

 

Thanks

4 REPLIES 4
SRX Services Gateway

Re: How to enable TLS for SRX GUI access for the PCI compliance

‎04-15-2019 12:50 AM

Upgrade to 12.3X48-D55, 15.1X49-D100 and later releases. On these releases,  TLS1.0 and TLS1.1 SSL protocols are blocked because of reported security vulnerabilities.

 

Reference: https://kb.juniper.net/InfoCenter/index?page=content&id=KB32921&cat=SRX_SERIES&actp=LIST

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: How to enable TLS for SRX GUI access for the PCI compliance

‎04-15-2019 01:27 AM

Hi

 

But we already has version 12.3X48-D45.6, which and based on below KB is supporting for TLS 1.2

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30879

 

But when we did the complince audit we got that the running version is SSL and not TLS.

 

My question is how to enable the TLS and disable the SSL?

 

 

 

SRX Services Gateway
Solution
Accepted by topic author mahmoud.yasin@ad-tech.com.jo
‎04-20-2019 03:30 AM

Re: How to enable TLS for SRX GUI access for the PCI compliance

‎04-15-2019 02:50 AM

AFAIK, there is no configuration knob to disable SSL. SSL is disabled in the the version mentioned in my last post.  The version you are running (12.3X48-D45.6) will have both SSL and TLS. You may verifiy this by disabling ssl in your browser and then access j-web.

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: How to enable TLS for SRX GUI access for the PCI compliance

‎04-18-2019 09:23 PM

Hi mahmoud

 

The version you are currently using does support TLS1.2 but also supports older SSL versions. There is a shell command for stopping the use of specific SSL versions, however this command wont survive a reboot of the firewall.

 

1. From the root shell:
root@junos% vi /jail/var/etc/httpd.conf
Change the default config, something similar to "SSLProtocol ALL -SSLV2" to "SSLProtocol TLSv1" 2. Find the process ID (pid) of httpd and kill/restart it:
root@junos% ps auxw | grep httpd root@junos% kill -9 (pid of httpd)
OR
root@junos% kill -HUP (pid of httpd) *Note: This change will not survive after reboots. Additionally, executing the 'restart web-management' CLI command will restart the httpd-gk process which will regenerate the default httpd.conf file, and overwrite the manual changes.

 

The best solution is to upgrade to version 12.3X48-D55 or newer because "In SRX devices that run Junos OS releases 12.3X48-D55 and later, Transport Layer Security (TLS) versions prior to TLSv1.2 are not supported."

 

Reference: https://kb.juniper.net/InfoCenter/index?page=content&id=KB32921&cat=SRX_SERIES&actp=LIST

 

Hope this helps and please mark as "Solution Accepted" if it applies.