In SRX devices that run Junos OS releases 12.3X48-D55, 15.1X49-D100, and later, Transport Layer Security (TLS) versions prior to TLSv1.2 are not supported. Therefore, if any new request is made with the TLS 1.0 or TLS 1.1 SSL protocol, the request will be blocked because of reported security vulnerabilities.

This article explains how to change the TLS version on various browsers so that the request goes through successfully in these SRX devices.

With TLS version 1.0 and 1.1, the SSL handshake on SRX devices that run Junos OS releases 12.3X48-D55, 15.1X49-D100, and later will face issues.

• When connecting with Pulse Secure for Dynamic VPN, the connection will fail.

• When connecting to an SRX device on HTTPS for J-Web, the following message is displayed:

To ensure that traffic directed at these SRX devices goes through successfully, the browser-based TLS sessions will need to have TLS 1.2 version enabled. This can be done as follows, for each of the browsers:

Microsoft Internet Explorer

1. Open Internet Explorer.

2. From the menu bar, click Tools > Internet Options > Advanced tab.

3. Scroll down to the Security category and select the "Use TLS 1.2" check box.

    

   

4. Click OK.

5. Close your browser and restart Internet Explorer.

Google Chrome

1. Open Google Chrome.

2. Press Alt + F and click Settings.

3. Scroll down and click Advanced to view advanced settings.

4. Scroll down to the System section and click "Open proxy settings."

5. Click the Advanced tab.

6. Scroll down to the Security category and select the "Use TLS 1.2" check box.

   

7. Click OK.

8. Close your browser and restart Google Chrome.

Mozilla Firefox

1. Open Firefox.

2. In the address bar, type about:config and press Enter.

3. In the Search field, enter tls. Find and double-click the entry for "security.tls.version.min."

4. Set the integer value to 3 to force the protocol of TLS 1.3 and 2 for TLS 1.2. The following image shows TLS 1.3:

   

5. Click OK.

6. Close your browser and restart Mozilla Firefox.

Opera

1. Open Opera.

2. Click Ctrl + F12.

3. Scroll down to the Network section and click "Change proxy settings."

4. Click the Advanced tab.

5. Scroll down to the Security category and select the "Use TLS 1.2" check box.

   

6. Click OK.

7. Close your browser and restart Opera.

Apple Safari

There are no options for enabling SSL protocols in Apple Safari. If you are using Safari version 7 or later, TLS 1.2 is automatically enabled.

Pulse Secure Client

The Pulse Secure client uses OpenSSL libraries for Pulse client connections and the TLS version to be used is determined by the OpenSSL DLLs that are installed on the user machine while installing the Pulse Secure client. This is hardcoded and cannot be controlled by users.

Pulse Secure 5.1 versions are hardcoded with TLS 1.2. If an older version is being used, the Pulse Secure client must be upgraded to version 5.1 or later. To download the current Pulse Secure version, go to Pulse Download.

Note: Caveat for Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1: https://support.microsoft.com/en-in/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

2020-07-18: Article reviewed for accuracy; no changes required.