How to disable SSL and enable TLS for the SRX GUI HTTPS access, as its needed for the PCI compliance.
"We use a public certificate for the firewall GUI access"
Upgrade to 12.3X48-D55, 15.1X49-D100 and later releases. On these releases, TLS1.0 and TLS1.1 SSL protocols are blocked because of reported security vulnerabilities.
But we already has version 12.3X48-D45.6, which and based on below KB is supporting for TLS 1.2
But when we did the complince audit we got that the running version is SSL and not TLS.
My question is how to enable the TLS and disable the SSL?
AFAIK, there is no configuration knob to disable SSL. SSL is disabled in the the version mentioned in my last post. The version you are running (12.3X48-D45.6) will have both SSL and TLS. You may verifiy this by disabling ssl in your browser and then access j-web.
The version you are currently using does support TLS1.2 but also supports older SSL versions. There is a shell command for stopping the use of specific SSL versions, however this command wont survive a reboot of the firewall.
1. From the root shell:
root@junos% vi /jail/var/etc/httpd.conf
Change the default config, something similar to "SSLProtocol ALL -SSLV2" to "SSLProtocol TLSv1"
2. Find the process ID (pid) of httpd and kill/restart it:
root@junos% ps auxw | grep httpd
root@junos% kill -9 (pid of httpd) OR root@junos% kill -HUP (pid of httpd)
*Note: This change will not survive after reboots.
Additionally, executing the 'restart web-management' CLI command will restart the httpd-gk process which will regenerate the default httpd.conf file, and overwrite the manual changes.
The best solution is to upgrade to version 12.3X48-D55 or newer because "In SRX devices that run Junos OS releases 12.3X48-D55 and later, Transport Layer Security (TLS) versions prior to TLSv1.2 are not supported."
Hope this helps and please mark as "Solution Accepted" if it applies.