协议版本和关联密码命令管理用于访问设备的 SSL/TLS 协议版本和密码。
默认情况下,SSL/TLS 协议版本 TLSv1.1、TLSv1.2 及其关联密码处于启用状态。您可以通过向 HTTPS 服务发送 PUT 请求以设置 tls_version 属性来启用 TLSv1.0。
请求示例:
PUT /api/service/v1/services/https HTTP/1.1
Host: zfs-storage.example.com:215
Content-Type: application/json
{ "tls_version": ["TLSv1.0", "TLSv1.1", "TLSv1.2"] }
结果示例(为简洁起见,省略了输出):
HTTP/1.1 202 Accepted
Content-Length: 1265
X-Zfssa-Service-Api: 1.1
X-Zfssa-Api-Version: 1.0
Content-Type: application/json; charset=utf-8
{
"service": {
"href": "/api/service/v1/services/https",
"<status>": "online",
"tls_version": "TLSv1 TLSv1.1 TLSv1.2",
"ciphers": "SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:
...
3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:
DH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"
}
}
要仅启用 TLSv1.0,请将 ciphers 属性设置为仅用于 TLSv1.0 的密码的列表。
请求示例(为简洁起见,省略了输出):
PUT /api/service/v1/services/https HTTP/1.1
Host: zfs-storage.example.com:215
Content-Type: application/json
{
"tls_version": ["TLSv1.0"] ,
"ciphers" : ["SRP-DSS-AES-256-CBC-SHA", "SRP-RSA-AES-256-CBC-SHA", "SRP-AES-256-CBC-SHA",
...
"EDH-RSA-DES-CBC3-SHA", "EDH-DSS-DES-CBC3-SHA", "DH-RSA-DES-CBC3-SHA", "DH-DSS-DES-CBC3-SHA",
"DES-CBC3-SHA"]
}
结果示例(为简洁起见,省略了输出):
HTTP/1.1 202 Accepted
Content-Length: 809
X-Zfssa-Service-Api: 1.1
X-Zfssa-Api-Version: 1.0
Content-Type: application/json; charset=utf-8
{
"service": {
"href": "/api/service/v1/services/https",
"<status>": "online", "tls_version": "TLSv1",
"ciphers": "SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:
...
3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-
RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"
}
}