SRX

Expand all | Collapse all

How to enable TLS for SRX GUI access for the PCI compliance

Jump to Best Answer
  • 1.  How to enable TLS for SRX GUI access for the PCI compliance

    Posted 04-15-2019 00:01

    Hi

     

    How to disable SSL and enable TLS for the SRX GUI HTTPS access, as its needed for the PCI compliance.

    "We use a public certificate for the firewall GUI access"

     

    Thanks



  • 2.  RE: How to enable TLS for SRX GUI access for the PCI compliance

    Posted 04-15-2019 00:51

    Upgrade to 12.3X48-D55, 15.1X49-D100 and later releases. On these releases,  TLS1.0 and TLS1.1 SSL protocols are blocked because of reported security vulnerabilities.

     

    Reference: https://kb.juniper.net/InfoCenter/index?page=content&id=KB32921&cat=SRX_SERIES&actp=LIST

     



  • 3.  RE: How to enable TLS for SRX GUI access for the PCI compliance

    Posted 04-15-2019 01:27

    Hi

     

    But we already has version 12.3X48-D45.6, which and based on below KB is supporting for TLS 1.2

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB30879

     

    But when we did the complince audit we got that the running version is SSL and not TLS.

     

    My question is how to enable the TLS and disable the SSL?

     

     

     



  • 4.  RE: How to enable TLS for SRX GUI access for the PCI compliance
    Best Answer

    Posted 04-15-2019 02:51

    AFAIK, there is no configuration knob to disable SSL. SSL is disabled in the the version mentioned in my last post.  The version you are running (12.3X48-D45.6) will have both SSL and TLS. You may verifiy this by disabling ssl in your browser and then access j-web.

     

     



  • 5.  RE: How to enable TLS for SRX GUI access for the PCI compliance

    Posted 04-18-2019 21:23

    Hi mahmoud

     

    The version you are currently using does support TLS1.2 but also supports older SSL versions. There is a shell command for stopping the use of specific SSL versions, however this command wont survive a reboot of the firewall.

     

    1. From the root shell:
    root@junos% vi /jail/var/etc/httpd.conf
    Change the default config, something similar to "SSLProtocol ALL -SSLV2" to "SSLProtocol TLSv1" 2. Find the process ID (pid) of httpd and kill/restart it:
    root@junos% ps auxw | grep httpd root@junos% kill -9 (pid of httpd)
    OR
    root@junos% kill -HUP (pid of httpd) *Note: This change will not survive after reboots. Additionally, executing the 'restart web-management' CLI command will restart the httpd-gk process which will regenerate the default httpd.conf file, and overwrite the manual changes.

     

    The best solution is to upgrade to version 12.3X48-D55 or newer because "In SRX devices that run Junos OS releases 12.3X48-D55 and later, Transport Layer Security (TLS) versions prior to TLSv1.2 are not supported."

     

    Reference: https://kb.juniper.net/InfoCenter/index?page=content&id=KB32921&cat=SRX_SERIES&actp=LIST

     

    Hope this helps and please mark as "Solution Accepted" if it applies.