Changing SSL/TLS/SSH levels for the system using the CLI

Administrators can determine which client systems do not have sufficient security levels and either update them to the higher level or decrease the system security level until these systems are updated.

You cannot simultaneously change the SSL/TLS and the SSH settings by using the chsecurity command. Change one type of security level, and then check that the system is still accessible before changing the other type of security level.

To change security level settings by using the command-line interface, complete these steps:
  1. To change SSL/TLS settings, enter chsecurity -sslprotocol security_level, where security_level is one of the following values:
    Table 1. Supported SSL/TLS security levels.

    Supported SSL/TLS security levels
    Security level Description Minimum security allowed
    1 Sets the system to disallow SSL version 3.0. TLS 1.0
    2 Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1. TLS 1.2
    3 Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1 and to allow cipher suites that are exclusive to TLS version 1.2. TLS 1.2
    4 Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1 and to allow cipher suites that are exclusive to TLS version 1.2. Sets the system to disallow RSA key exchange ciphers, RSA ciphers for SSH. TLS 1.2
    Note: Users might lose the connection to the management GUI when the security level is changed. If you lose the connection, use the CLI to decrease the security level to a lower setting.
  2. To change SSH settings, enter chsecurity -sshprotocol security_level, where security_level is one of the following values:
    Table 2. Supported SSH security levels.

    Supported SSH security levels
    Security level Description
    1 Allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
    • diffie-hellman-group1-sha1
    • diffie-hellman-group-exchange-sha1
    2 Allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
Parent topic: Managing security