SSL/TLS Supported Protocol & Workaround for TLSv1.2

INTERNAL

SSL/TLS protocol setting
Hitch supports TLS (1.0, 1.1 and 1.2) and SSL 3.

By default, only TLS versions 1.1 and 1.2 are enabled, while TLS 1.0 and SSLv3 are disabled in version 8.0.2.x


But in versions prior to 8.0.2.x, config does not point to a specific TLS version. We have a workaround so that the config points to TLSv1.2 on all filers. This requires a restart of Hitch services that is responsible for WebUI access.
Or
upgrade to 8.0.2.x version

In prior to 8.0.2.x versions, Hitch config will not show any tls-protos show :
[SA:FilerZ - Active /]# cat /usr/local/etc/hitch.conf | grep -i TLS
# stud(8), The Scalable TLS Unwrapping Daemon's configuration
# tls = on
In version 8.0.2.x & above, config will updated by default : No workaround needed
[SA:FilerX - Active /]# cat /usr/local/etc/hitch.conf | grep -i TLS
# stud(8), The Scalable TLS Unwrapping Daemon's configuration
# tls = on
tls-protos = TLSv1.2

Workaround to update the config to point only TLSv1.2 for prior versions to 8.0.2.x

1)adding line to /usr/local/etc/hitch.conf:
tls-protos = TLSv1.2

Command as below:
echo "tls-protos = TLSv1.2" >> /usr/local/etc/hitch.conf

2) restarting hitch service using the below command:
service hitch restart

3) Now verify output using OpenSSL ( need to use peer filer management IP)
For example: if you are on filer1 then use management IP of filer2 & filer3, ssh to any of these filers, and check for filer1
Replace 10.4.28.65 with the management IP of the filer one by one, need follow this set of commands for all three filers mgmt IP one by one

openssl s_client -connect 10.4.28.65:443 -tls1
openssl s_client -connect 10.4.28.65:443 -tls1_1
openssl s_client -connect 10.4.28.65:443 -tls1_2

Expected output:
It should show Secure Renegotiation IS NOT supported for tls1 and tls1_1 but it should work for tls1_2

Extra Notes:

Above openssl commands expected output example as below:
avapcfs001# openssl s_client -connect 10.4.28.65:443 -tls1
CONNECTED(00000003)
34369862056:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:/ usr/src/crypto/openssl/ssl/s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1624752088
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
avapcfs001# openssl s_client -connect 10.4.28.65:443 -tls1_1
CONNECTED(00000003)
34369862056:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:/ usr/src/crypto/openssl/ssl/s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1624752106
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
avapcfs001# openssl s_client -connect 10.4.28.65:443 -tls1_2
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Aliso Viejo, O = Fluor Corporation, OU = Se rver Services, CN = AVAPCFS003.fdnet.com, emailAddress = Armando Sandoval Server .services@fluor.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Aliso Viejo, O = Fluor Corporation, OU = Se rver Services, CN = AVAPCFS003.fdnet.com, emailAddress = Armando Sandoval Server .services@fluor.com
verify error:num=21:unable to verify the first certificate
verify return:1
---

 

Refer - Bug CC-37865 & SF case 00073568