Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Changing the TLS version for SSL traffic towards SRX devices

0

0

Article ID: KB32921 KB Last Updated: 23 Jul 2020Version: 2.0
Summary:

In SRX devices that run Junos OS releases 12.3X48-D55, 15.1X49-D100, and later, Transport Layer Security (TLS) versions prior to TLSv1.2 are not supported. Therefore, if any new request is made with the TLS 1.0 or TLS 1.1 SSL protocol, the request will be blocked because of reported security vulnerabilities.

This article explains how to change the TLS version on various browsers so that the request goes through successfully in these SRX devices.

Symptoms:

With TLS version 1.0 and 1.1, the SSL handshake on SRX devices that run Junos OS releases 12.3X48-D55, 15.1X49-D100, and later will face issues.

  • When connecting with Pulse Secure for Dynamic VPN, the connection will fail.

  • When connecting to an SRX device on HTTPS for J-Web, the following message is displayed:

Solution:

To ensure that traffic directed at these SRX devices goes through successfully, the browser-based TLS sessions will need to have TLS 1.2 version enabled. This can be done as follows, for each of the browsers:

Microsoft Internet Explorer

  1. Open Internet Explorer.
  2. From the menu bar, click Tools > Internet Options > Advanced tab.

  3. Scroll down to the Security category and select the "Use TLS 1.2" check box.

     

  4. Click OK.

  5. Close your browser and restart Internet Explorer.

Google Chrome

  1. Open Google Chrome.
  2. Press Alt + F and click Settings.

  3. Scroll down and click Advanced to view advanced settings.

  4. Scroll down to the System section and click "Open proxy settings."

  5. Click the Advanced tab.

  6. Scroll down to the Security category and select the "Use TLS 1.2" check box.

  7. Click OK.

  8. Close your browser and restart Google Chrome.

Mozilla Firefox

  1. Open Firefox.
  2. In the address bar, type about:config and press Enter.

  3. In the Search field, enter tls. Find and double-click the entry for "security.tls.version.min."

  4. Set the integer value to 3 to force the protocol of TLS 1.3 and 2 for TLS 1.2. The following image shows TLS 1.3:

  5. Click OK.

  6. Close your browser and restart Mozilla Firefox.

Opera

  1. Open Opera.
  2. Click Ctrl + F12.

  3. Scroll down to the Network section and click "Change proxy settings."

  4. Click the Advanced tab.

  5. Scroll down to the Security category and select the "Use TLS 1.2" check box.

  6. Click OK.
  7. Close your browser and restart Opera.

Apple Safari

There are no options for enabling SSL protocols in Apple Safari. If you are using Safari version 7 or later, TLS 1.2 is automatically enabled.

Pulse Secure Client

The Pulse Secure client uses OpenSSL libraries for Pulse client connections and the TLS version to be used is determined by the OpenSSL DLLs that are installed on the user machine while installing the Pulse Secure client. This is hardcoded and cannot be controlled by users.

Pulse Secure 5.1 versions are hardcoded with TLS 1.2. If an older version is being used, the Pulse Secure client must be upgraded to version 5.1 or later. To download the current Pulse Secure version, go to Pulse Download.

Note: Caveat for Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1: https://support.microsoft.com/en-in/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

Modification History:
2020-07-18: Article reviewed for accuracy; no changes required.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search