`cc-config --status` does not show correct minimum TLS level
search cancel

`cc-config --status` does not show correct minimum TLS level

book

Article ID: 236163

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When running the `cc-config --status` command from the Messaging Gateway 10.7.5 command line interface, the minimum TLS level for connections to the SMG Control Center web application is reported as tls12 regardless of the actual minimum TLS setting.

smg-cc [10.7.5-4]> cc-config --status
Control center log level is WARN.
Compliance log retention is 30 days.
Port 443 is enabled.
Port 41080 is disabled.
Status of clientAuth is disabled.
set_tls_min_level is tls12

$ openssl s_client -connect smg:443 -tls1
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 6222B753929423ED09EE26B32840D33ABD7DC521CFAA4A4955245213D76D55B1

Environment

Release : 10.7.5

Component :

Cause

This is a display error in the cc-config command and will be addressed in a future release.

Resolution

This issue will be addressed in a future release. If you are concerned regarding the minimum TLS level currently set for the SMG Control Center web application you can manually set it via the following command:

  1. Install patch 10.7.5-291 if it is not already installed
  2. Run the cc-config command to set the minimum TLS level
  3. Confirm minimum TLS level using openssl from another system

Example

smg-cc [10.7.5-4]> show --version
Version:        Install Date:
10.7.5-4        Wed 02 Mar 2022 11:29:26 PM PST

SMG patch installation history:
     patch-10.7.5-291    2022-03-04 17:22

smg-cc [10.7.5-4]> cc-config set-min-tls-level --tls12
Stopping controlcenter (via systemctl):                    [  OK  ]
Starting controlcenter (via systemctl):                    [  OK  ]

$ openssl s_client -connect smg:443 -tls1
CONNECTED(00000005)
140515140755904:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
...
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000

$ openssl s_client -connect smg:443 -tls1_2
CONNECTED(00000005)
...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 6222BD7B8C4D2AA4D22DE8562451B228F5CF8677824997D7740B7A7D2B0C16A4
    Session-ID-ctx:
    Master-Key: 66F5CED4C11BE30E89832468BFE1EFAB676D0A5521EAA964BB2C911CAAFA22056DF6FCDF5114369167637385254958EB
Powered by Wolken Software