security config modify doesn't work as expected

El_Feuro — Wed, 04 Jun 2025 09:47:20 GMT

Hi,

I have problem to enable the right cipher suites in ONTAP 9.12.1P2 and 19.13.1.

The command:
security config modify -interface SSL -supported-ciphers ECDHE:!PSK:!DHE:!LOW:!aNULL:!EXP:!eNull:!3DES:!kdH:!kECDd:!SHA

enables following cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384

I don't want the red marked cipher suites to be enabled so I tried this command:

security config modify -interface SSL -supported-cipher-suites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384

But the result is:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

The both cipher suites TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 are not enabled.

No matter how I try to enable this both cipher suites it doesn't work. Only the first command in this post works.

Does anybody know the reason or solution for this strange behavior?

Re: security config modify doesn't work as expected

Haseeb — Fri, 14 Jul 2023 11:56:25 GMT

Hi,

You can set the cipher and cipher suite with a single command.

E.g:

security config modify -interface SSL -supported-protocols TLSv1.3,TLSv1.2 -supported-ciphers ECDHE:!PSK:!DHE:!LOW:!aNULL:!EXP:!eNull:!3DES:!kdH:!kECDd:!SHA -supported-cipher-suites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384

By specifying the cipher and cipher suite we'd like above we'd get the following result:

cluster1::*> security config show Cluster Supported FIPS Mode Protocols Supported Cipher Suites ---------- --------- ---------------------------------------------------------- false TLSv1.3, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256

I hope this helps with your issue.

topic Re: security config modify doesn't work as expected in ONTAP Discussions

security config modify doesn't work as expected

Re: security config modify doesn't work as expected