Thanks, Randal for the response. But it did not work. Here the results: #yum info cockpit Name : cockpit Arch : x86_64 Version : 195.1 Release : 1.el7.centos.0.1 Size : 51 k Repo : installed From repo : extras Summary : Web Console for Linux servers URL : https://cockpit-project.org/ License : LGPLv2+
[root@cockpit ~]# cat /etc/systemd/system/cockpit.service.d/ssl.conf Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 [root@cockpit ~]# [root@cockpit ~]# systemctl start cockpit [root@cockpit ~]# systemctl status cockpit -l ● cockpit.service - Cockpit Web Service Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static; vendor preset: disabled) Drop-In: /etc/systemd/system/cockpit.service.d └─ssl.conf Active: active (running) since Fri 2019-12-27 16:23:21 EST; 1min 25s ago Docs: man:cockpit-ws(8) Process: 3564 ExecStartPre=/usr/sbin/remotectl certificate --ensure --user=root --group=cockpit-ws --selinux-type=etc_t (code=exited, status=0/SUCCESS) Main PID: 3573 (cockpit-ws) CGroup: /system.slice/cockpit.service └─3573 /usr/libexec/cockpit-ws Dec 27 16:23:21 cockpit.localdomain systemd[1]: Starting Cockpit Web Service... Dec 27 16:23:21 cockpit.localdomain systemd[1]: Started Cockpit Web Service. Dec 27 16:23:21 cockpit.localdomain cockpit-ws[3573]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert Dec 27 16:23:30 cockpit.localdomain cockpit-ws[3573]: received invalid HTTP request line [root@cockpit ~]# [root@cockpit ~]# echo test | openssl s_client -connect localhost:9090 -tls1_1 2>&1 | grep -e Protocol -e Cipher New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Protocol : TLSv1.1 Cipher : ECDHE-RSA-AES256-SHA On Fri, Dec 27, 2019 at 10:09 AM Randal, Phil <phil.ran...@hoopleltd.co.uk> wrote: > > Oops, excuse my typo > > Create /etc/systemd/system/cockpit.service.d/ssl.conf containing > > [Service] > Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 > > Then > > systemctl daemon-reload > systemctl restart cockpit > > To verify that TLS 1.1 is disabled, > > echo test | openssl s_client -connect localhost:9090 -tls1_1 2>&1 | grep -e > Protocol -e Cipher > > The expected result is: > > New, (NONE), Cipher is (NONE) > Protocol : TLSv1.1 > Cipher : 0000 > > Cheers, > > Phil > > -----Original Message----- > From: Randal, Phil > Sent: 27 December 2019 15:04 > To: 'CentOS mailing list' <centos@centos.org> > Subject: RE: [CentOS] Disabling TLS 1.1 in Centos 7 cockpit > > Try creating /etc/system/system/cockpit.service.d/ssl.conf and putting this > in it: > > [Service] > Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 > > Then > > systemctl daemon-reload > systemctl restart cockpit > > Cheers, > > Phil > > > -----Original Message----- > From: CentOS <centos-boun...@centos.org> On Behalf Of Erick Perez - Quadrian > Enterprises > Sent: 27 December 2019 03:26 > To: centos@centos.org > Subject: [CentOS] Disabling TLS 1.1 in Centos 7 cockpit > > CAUTION: This email originated from outside of the organisation. Do not click > links or open attachments unless you recognise the sender and know the > content is safe. > > Hi, I'm using cockpit in standard port 9090 in a Centos 7 system. > Due to a suggestion from management, they want TLS 1.1 disabled system-wide > in all Linux boxes and TLS 1.2 enabled. > > I have not found proper documentation on how to disable it for cockpit > (version 195.1 ships with Centos 7) > > So far I have tried (https://cockpit-project.org/guide/149/https.html): > > /usr/lib/systemd/system/cockpit.service > [Service] > Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2 > > And I also created the file /etc/systemd/system/cockpit.service.d/ssl.conf > and added: > [Service] > Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2 > > after that, I systemctl restart cockpit > > But if I do > #openssl s_client -connect localhost:9090 -tls1_1 I get a proper response (a > certificate), so TLS 1.1 is being accepted. > > Suggestions? > > Thanks. > > -- > > --------------------- > Erick Perez > --------------------- > _______________________________________________ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Hoople Ltd, Registered in England and Wales No. 7556595 > Registered office: Plough Lane, Hereford, HR4 0LE > > "Any opinion expressed in this e-mail or any attached files are those of the > individual and not necessarily those of Hoople Ltd. You should be aware that > Hoople Ltd. monitors its email service. This e-mail and any attached files > are confidential and intended solely for the use of the addressee. This > communication may contain material protected by law from being passed on. If > you are not the intended recipient and have received this e-mail in error, > you are advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this e-mail in > error please contact the sender immediately and destroy all copies of it." > _______________________________________________ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos -- --------------------- Erick Perez Quadrian Enterprises S.A. - Panama, Republica de Panama Skype chat: eaperezh WhatsApp IM: +507-6675-5083 --------------------- _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos