Disable TLS 1.0 on Arista eAPI

What if you need to disable TLS 1.0 for the eAPI service running on your Arista switch? By default Arista’s eAPI has TLS 1.0, TLS 1.1, and…

What if you need to disable TLS 1.0 for the eAPI service running on your Arista switch? By default Arista’s eAPI has TLS 1.0, TLS 1.1, and TLS 1.2 enabled. Thanks to Arista TAC for these steps! Hopefully they will disable TLS 1.0 by default in the future.

08/16/2019, This article has been updated to include the disablement of TLS_DH anonymous cipher suites.

1. Start by creating self signed certificate and key:

bash sudo openssl req -new -nodes -x509 -days 365 -out /mnt/flash/ssl.crt -keyout /mnt/flash/ssl.key -subj /CN=self.signed

This will create a self singed certificate and key under /mnt/flash

2. Now copy the certificate and key to the proper locations

copy flash:ssl.crt certificate:
copy flash:ssl.key sslkey:

3. Now create the ssl profile any apply these configurations:

management security
ssl profile test
tls versions 1.2
cipher-list HIGH:!NULL:!MD5:!ADH:! ANULL
certificate ssl.crt key ssl.key

4. Verify that the ssl profile is valid:

switch#show management security ssl profile test
Profile State
 — — — — — — — — — — — — -
test valid

5. Now apply the profile to management api:

management api http-commands
protocol https ssl profile test
no shutdown
!

6. Verify that only TLS 1.2 is in use:

switch(config)#show management api http-commands
Enabled: Yes
HTTPS server: running, set to use port 443
HTTP server: running, set to use port 80
Local HTTP server: shutdown, no authentication, set to use port 8080
Unix Socket server: running, no authentication
VRF: default
Hits: 0
Last hit: never
Bytes in: 0
Bytes out: 0
Requests: 0
Commands: 0
Duration: 0.000 seconds
SSL Profile: test, valid
FIPS Mode: No
QoS DSCP: 0
CSP Frame Ancestor: None
TLS Protocols: 1.2
URLs