Configuring SSL/TLS Versions and Ciphers

This section describes how to configure SSL/TLS protocol versions and ciphers that Oracle ZFS Storage Appliance uses to communicate with peer appliances.

A cipher is an algorithm for performing encryption and decryption, and the appliance uses ciphers for different tasks, such as encrypting and decrypting data during data replication. Configure the SSL/TLS versions and ciphers according to your site's security requirements. For remote replication, ensure that both the source and target appliances are configured to support the same values.

Do not change SSL/TLS versions or ciphers unless the cluster is fully operational. If the settings are changed so that the two controllers are not using compatible settings, the second controller will not be able to rejoin the cluster. If this happens, reset the settings so that they are compatible.

Oracle ZFS Storage Appliance systems running older firmware might not support ciphers offered in newer TLS versions. Because the versions and at least one of the ciphers must be identical on appliances that communicate with each other, if one appliance supports only TLSv1.0 ciphers, all appliances must be configured to allow the TLSv1.0 version and ciphers.

As of software release OS8.8.67, TLSv1.0 and TLSv1.1 are not supported due to integrating the OpenSSL 3.0 library as the basis for encrypted communication. Therefore, appliances updated to OS8.8.67 or later cannot use legacy TLS versions for communication with each other.

To configure SSL/TLS, use the following tasks:

• Configuring SSL/TLS (BUI)

• Configuring SSL/TLS (CLI)