how to enable TLS 1.2 & 1.3 in netgate 1100

thomasyang

Hi guys, we bought new Netgate 1100, and now wondering how to ensure both TLS 13.& 1.3 is enabled.? heard TLS v1.3 is enabled by default, but don't know how to check and enable it if it's not enabled yet. thanks

Gertjan

@thomasyang said in how to enable TLS 1.2 & 1.3 in netgate 1100:

we bought new Netgate 1100, and now wondering how to ensure both TLS 13.& 1.3 is enabled.?

The pfSense access can be set to "https". So it uses TLS.
Only the admin of pfSense uses this access, ones in a while. It's not some 'public' access, and is only exposed on the LAN interface.

Edit :
If you trust your other LAN network users, you can even use the http access : no risk.

Want to know what version of TLS is used ?
Well, what about : Connect to the GUI, and ask your browser ...

Or, far better, use 'god mode' (the command line) and ask pfSense :

openssl s_client -crlf -connect pfsense.your-local-network.tld:443

You will see al the important things, and among them :

    Protocol  : TLSv1.3

@thomasyang said in how to enable TLS 1.2 & 1.3 in netgate 1100:

heard TLS v1.3 is enabled by default

heard ???? (though we all agreed on "do some fact checking first" ;) )

use your favorite serach engin.
Enter these key words :

pfSense TLS 1.3

On the first or second proposed link you'll find a site docs.netgate.com that says :

21.02/21.02-p1/2.5.0 New Features and Changes

That site - Netgate - is the author of pfSEnse, so, if they say so, it might as well be true, since CE 2.5.0 or your pfSense version. That is, if you have a recent version.
As I showed above, it is true for me.

thomasyang

@gertjan said in how to enable TLS 1.2 & 1.3 in netgate 1100:

pfSense TLS 1.3

Thanks for sharing, Gertjan.
Actually we use this router in a bank machine similar to ATM, so everything are private, not public connection at all.
And customer requires the new router to support both TLS 1.2 and 1.3. and we are testing Netgate 1100 to see if it meets the requirement.

so if the command "openssl s_client -crlf -connect pfsense.your-local-network.tld:443" returns "Protocol : TLSv1.3", does it mean only v1.3 is enabled?

• If yes, then any "god mode" commands or configuration(in Admin GUI ) can enable both?
  -If no, how to check if both 1.2 and 1.3 are enabled? no matter via "god mode" or Admin GUI

Very appreciated if you can advice.

Gertjan

@thomasyang

As 'https' is port 443 concerns a web server - nginx in this case, check the file

/var/etc/nginx-webConfigurator.conf

this the the nginx config file.

You find

		ssl_protocols   TLSv1.2 TLSv1.3;

so I tend to say that these are the protocols accepted.

thomasyang

@gertjan so Netgate 1100 uses nginx as its web server, right?

Gertjan

@thomasyang

See for yourself Diagnostics > System Activity

Or visit pfsense.your-local-network.tld/who-are-you?
This will ask for a page that doesn't exist, so the web server (nginx) will tell you ....

edit :

Why did you ask the same question in the MultiWAN secion ? :

thomasyang

@gertjan many thanks, let us try out.
BTW, raised multiple tickets is because I don't know which category to raise, there is no "protocol" or "security" category in forum.

Gertjan

@thomasyang
I understand.
"webGUI" seems fine to me, as your question concerns the web based GUI.

If your looking for the perfect "security", make it a none issue.
Like : Make the WebGUI only accessible on the LAN interface.
Activate LAN type another interface (initially called OPT), and use a firewall rule to forbid any "local" web GUI access.
Remove all devices from the LAN port.

This way, the question is resolved, as the question became irrelevant.

The only web to admin the device is to connect physically a cable into the LAN port : the admin has to have physical access to (into) the device.

..... humm : a SG1000 only has two ports, which is rather minimalistic

Next best : Set up a OpenVPN if you need to connect to the webgui remotely.