TWSD-1806: Requirement of AVX WebUI should be opened on TLS v 1.3

Review Request #1476 — Created March 31, 2026 and submitted April 10, 2026, 6:03 p.m.

Information
Owner:	bsrivalli
Repository:	AVX2
Branch:	rel_avx_2_7_6
Bugs:	TWSD-1806
Depends On:
Reviewers
Groups:
People:	ngurunathan, shuinvy, stevenku, wli

Description

TLSv1.3 support requires OpenSSL version 1.1.1 or above along with a compatible lighttpd version.Earlier, the lighttpd module was linked against OpenSSL 1.0.2k, which does not provide support for TLSv1.3.As libopenssl-1.1.1 is already available in the project, the build configuration has been updated to link the lighttpd module (mod_openssl.so) with libopenssl-1.1.1.With this change, the WebUI is now capable of establishing connections using TLSv1.3.

Testing Done

AN(config)#sh webui ssl settings

webui ssl settings clientauth disable

webui ssl settings authmandatory enable

webui ssl settings ciphersuites "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384"

webui ssl settings protocol "TLSv12"
AN(config)#webui ssl settings ciphersuites "ECDHE-RSA-AES256-SHA:TLS-AES128-GC$
AN(config)#webui ssl settings protocol "TLSv13"
AN(config)#sh webui ssl settings

webui ssl settings clientauth disable

webui ssl settings authmandatory enable

webui ssl settings ciphersuites "ECDHE-RSA-AES256-SHA:TLS-AES128-GCM-SHA256:TLS-AES256-GCM-SHA384"

webui ssl settings protocol "TLSv13"
curl -kv --tlsv1.3 "https://192.168.162.227:8888"


About to connect() to 192.168.162.227 port 8888 (#0)


Trying 192.168.162.227...


Connected to 192.168.162.227 (192.168.162.227) port 8888 (#0)


Initializing NSS with certpath: sql:/etc/pki/nssdb


skipping SSL peer certificate verification


SSL connection using TLS_AES_256_GCM_SHA384


Server certificate:


subject: E=webui@arraynetworks.net,CN=Array Networks,O="Array Networks, Inc",L=Campbell,ST=CA,C=US


start date: Dec 10 06:02:47 2015 GMT


expire date: Dec 07 06:02:47 2025 GMT


common name: Array Networks


issuer: E=webui@arraynetworks.net,CN=Array Networks,O="Array Networks, Inc",L=Campbell,ST=CA,C=US


GET / HTTP/1.1

User-Agent: curl/7.29.0

Host: 192.168.162.227:8888

Accept: /
< HTTP/1.1 302 Found

< Vary: Accept-Language, Cookie

< X-Frame-Options: SAMEORIGIN

< X-Frame-Options: SAMEORIGIN

< Content-Type: text/html; charset=utf-8

< Location: https://192.168.162.227:8888/app/

< Content-Language: en-us

< Set-Cookie: django_language=en; httponly; Path=/; secure

< Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

< X-Content-Type-Options: nosniff

< X-XSS-Protection: 1; mode=block

< Content-Security-Policy: default-src 'self'; script-src * 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self'; style-src 'self' 'unsafe-inline'; object-src 'none' ;

< Cache-Control: no-store

< Pragma: no-cache

< Content-Length: 0

< Date: Tue, 31 Mar 2026 07:22:13 GMT

<



Connection #0 to host 192.168.162.227 left intact

Description:

~		The configuration has been enhanced to ensure that the WebUI supports and prioritizes TLSv1.3.The system now accepts connections over TLSv1.3 and restricts or deprioritizes older TLS versions, ensuring secure and compliant communication.
	~	The configuration has been enhanced to ensure that the WebUI supports and prioritizes TLSv1.3.

Change Summary:

Removed some of the logs from code.

Description:

~		The configuration has been enhanced to ensure that the WebUI supports and prioritizes TLSv1.3.
	~	TLSv1.3 support requires OpenSSL version 1.1.1 or above along with a compatible lighttpd version.Earlier, the lighttpd module was linked against OpenSSL 1.0.2k, which does not provide support for TLSv1.3.As libopenssl-1.1.1 is already available in the project, the build configuration has been updated to link the lighttpd module (mod_openssl.so) with libopenssl-1.1.1.With this change, the WebUI is now capable of establishing connections using TLSv1.3.

Testing Done:

		AN(config)#sh webui ssl settings
		webui ssl settings clientauth disable
		webui ssl settings authmandatory enable
		webui ssl settings ciphersuites "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384"
		webui ssl settings protocol "TLSv12"

		AN(config)#webui ssl settings ciphersuites "ECDHE-RSA-AES256-SHA:TLS-AES128-GC$

		AN(config)#webui ssl settings protocol "TLSv13"

		AN(config)#sh webui ssl settings
		webui ssl settings clientauth disable
		webui ssl settings authmandatory enable
		webui ssl settings ciphersuites "ECDHE-RSA-AES256-SHA:TLS-AES128-GCM-SHA256:TLS-AES256-GCM-SHA384"
		webui ssl settings protocol "TLSv13"
	+
	+	curl -kv --tlsv1.3 "https://192.168.162.227:8888"
	+
	+	About to connect() to 192.168.162.227 port 8888 (#0)
	+	Trying 192.168.162.227...
	+	Connected to 192.168.162.227 (192.168.162.227) port 8888 (#0)
	+	Initializing NSS with certpath: sql:/etc/pki/nssdb
	+	skipping SSL peer certificate verification
	+	SSL connection using TLS_AES_256_GCM_SHA384
	+	Server certificate:
	+	subject: E=webui@arraynetworks.net,CN=Array Networks,O="Array Networks, Inc",L=Campbell,ST=CA,C=US
	+	start date: Dec 10 06:02:47 2015 GMT
	+	expire date: Dec 07 06:02:47 2025 GMT
	+	common name: Array Networks
	+	issuer: E=webui@arraynetworks.net,CN=Array Networks,O="Array Networks, Inc",L=Campbell,ST=CA,C=US GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: 192.168.162.227:8888 Accept: / < HTTP/1.1 302 Found < Vary: Accept-Language, Cookie < X-Frame-Options: SAMEORIGIN < X-Frame-Options: SAMEORIGIN < Content-Type: text/html; charset=utf-8 < Location: https://192.168.162.227:8888/app/ < Content-Language: en-us < Set-Cookie: django_language=en; httponly; Path=/; secure < Strict-Transport-Security: max-age=63072000; includeSubDomains; preload < X-Content-Type-Options: nosniff < X-XSS-Protection: 1; mode=block < Content-Security-Policy: default-src 'self'; script-src * 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self'; style-src 'self' 'unsafe-inline'; object-src 'none' ; < Cache-Control: no-store < Pragma: no-cache < Content-Length: 0 < Date: Tue, 31 Mar 2026 07:22:13 GMT <
	+	Connection #0 to host 192.168.162.227 left intact

People:

+	shuinvy

Diff:

Revision 2 (+130 -12)

Show changes

	branches/rel_avx_2_7_6/src/webui/webui.h
	branches/rel_avx_2_7_6/src/webui/webui.c
	branches/rel_avx_2_7_6/src/webui/webui/Makefile
	branches/rel_avx_2_7_6/src/webui/webui/htdocs/new/src/client/app/modules/system/submenu/access_control/webui.html
	branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/Makefile
	branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/build.sh
	branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/lighttpd-1.4.64.tar.xz
	branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/lighttpd_openssl_linker.patch
	1 more

Status: Discarded

Change Summary:

Did some changes in the code.

Status: Re-opened

Ship it!

```
Ship It!
```

Ship it!

```
Ship It!
```

Ship it!

```
Ship It!
```

You have a pending review.

Review Board 5.0.5

TWSD-1806: Requirement of AVX WebUI should be opened on TLS v 1.3

Description:

Change Summary:

Description:

Testing Done:

People:

Diff:

Status: Discarded

Change Summary:

Status: Re-opened

Status: Closed (submitted)