Disable TLS1.0 and TLS1.1 in hawk2 (web UI for managing HA cluster)

This document (000019803) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise High Availability Extension 12 SP3 (LTSS) - 12 SP4 (LTSS) - 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP3 - 12 SP4 - 12 SP5

Situation

Previous versions of the "HA Web Konsole" (hawk2) package did not have the ability to disable TLS 1.0 and TLS 1.1. SUSE has released hawk2 updates that offer these options.

The steps to disable TLS are different depending on the version of hawk2 that is installed.
Steps for both versions will be outlined below.

The options to disable TLS were added beginning with the Nov 19 2020 release of hawk2 version:

hawk2-2.2.1+git.1604928548.070a8e0c-3.15.1.x86_64

However, it is recommended to NOT use the above hawk2 package as there is a bug which causes High CPU usage on that version.

SUSE recommends this hawk2 version or newer:

hawk2-2.3.0+git.1607523195.05cd3222-3.18.1

Resolution

With the Dec 14 2020 release (or newer) of hawk2 version:

hawk2-2.3.0+git.1607523195.05cd3222-3.18.1

The steps to disable TLS1.0/1.1 on this version are:
1. Edit the file:
/etc/sysconfig/hawk

2. Set the variables below to true:

HAWK_NO_TLSV1="true"
HAWK_NO_TLSV1_1="true"

3. Restart hawk2:

systemctl restart  hawk

With the Nov 19 2020 release of hawk2 version:

hawk2-2.2.1+git.1604928548.070a8e0c-3.15.1.x86_64

To disable both TLS1.0 and TLS1.1 follow these steps:

1. Stop the hawk2 service:

systemctl stop hawk

2. Edit the file:
/srv/www/hawk/config/puma.rb

Find the line that is currently:

ssl_bind @listen, @port, cert: @cert, key: @key, verify_mode: 'none'

Add this text to the end of that line:

,no_tlsv1_1: true, no_tlsv1: true

The line should then look like:

ssl_bind @listen, @port, cert: @cert, key: @key, verify_mode: 'none', no_tlsv1_1: true, no_tlsv1: true

3. Start hawk2:

systemctl start hawk

Test that TLS1.0 and TLS1.1 are disabled with openssl:

openssl s_client -tls1 -connect localhost:7630
openssl s_client -tls1_1 -connect localhost:7630

The failed results will show:

CONNECTED(00000003)
139882563065488:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---

A successful connection will show "Server certificate" info.

Cause

Older versions of the hawk2 package were shipped with older versions of puma which did not have the ability to disable TLS versions 1.0 and 1.1.
SUSE recommends updating to this hawk version or newer:

hawk2-2.3.0+git.1607523195.05cd3222-3.18.1.x86_64

Additional Information

The hawk2 version:

hawk2-2.2.1+git.1604928548.070a8e0c-3.15.1.x86_64

causes ruby to use excessive CPU or high CPU load.
See:
https://www.suse.com/support/kb/doc/?id=000019808

SUSE recommends to use newer hawk2 versions listed above.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

Document ID:000019803
Creation Date: 03-Dec-2020
Modified Date:02-Mar-2022
- SUSE Linux Enterprise High Availability Extension
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com