chsecurity

Use the chsecurity command to change the Secure Sockets Layer (SSL), Secure Shell (SSH), or Transport Layer Security (TLS) security settings for a system.

Syntax

Read syntax diagramSkip visual syntax diagram chsecurity -sslprotocolsecurity_level-sshprotocolsecurity_level

Parameters

Remember: These parameters are mutually exclusive. You must specify -sslprotocol or -sshprotocol, not both.
-sslprotocol security_level
(Required) Specifies the numeric value for the SSL security level setting, which can take any value from 1 to 4. A setting of 3 is the default value.
Use these sslprotocol security level settings.
  • 1 Disallows SSL 3.0.
  • 2 Allows TLS 1.2 only.
  • 3 Additionally disallows TLS 1.2 cipher suites that are not exclusive to 1.2.
  • 4 Additionally disallows RSA key exchange ciphers.
-sshprotocol security_level
(Required) Specifies the numeric value for the SSH security level setting, which can take a value of 1 or 2. A setting of 1 is the default value.
Use these sshprotocol security level settings.
  • 1 Allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
    • diffie-hellman-group1-sha1
    • diffie-hellman-group-exchange-sha1
  • 2 Allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1

Description

This command changes the SSL, SSH, or TLS security settings on a system.
Important: If you use SSL or TLS, changing the security might disrupt these services.
Use this procedure if disruption occurs.
  1. Wait 5 minutes and try again. (Wait for any services to restart.)
  2. Confirm that the SSL or TLS implementation is up-to-date and supports the specified level of security.
  3. If necessary, revert to an earlier version of SSL or TLS security.

An invocation example

chsecurity -sslprotocol 4

The resulting output

Changing the SSL security level could disable the GUI connection on old web browsers, 
and changing the SSH security level may logout existing SSH sessions. Are you sure you wish to continue? (y/yes to confirm)

An invocation example

chsecurity -sshprotocol 2

The resulting output

Changing the SSL security level could disable the GUI connection on old web browsers, 
and changing the SSH security level may logout existing SSH sessions. Are you sure you wish to continue? (y/yes to confirm)