Re: [CentOS] Disabling TLS 1.1 in Centos 7 cockpit

Fri, 27 Dec 2019 13:29:44 -0800 

Thanks, Randal for the response. But it did not work.

Here the results:
#yum info cockpit
Name        : cockpit
Arch        : x86_64
Version     : 195.1
Release     : 1.el7.centos.0.1
Size        : 51 k
Repo        : installed
From repo   : extras
Summary     : Web Console for Linux servers
URL         : https://cockpit-project.org/
License     : LGPLv2+


[root@cockpit ~]# cat /etc/systemd/system/cockpit.service.d/ssl.conf
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1

[root@cockpit ~]#
[root@cockpit ~]# systemctl start cockpit
[root@cockpit ~]# systemctl status cockpit -l
● cockpit.service - Cockpit Web Service
   Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static;
vendor preset: disabled)
  Drop-In: /etc/systemd/system/cockpit.service.d
           └─ssl.conf
   Active: active (running) since Fri 2019-12-27 16:23:21 EST; 1min 25s ago
     Docs: man:cockpit-ws(8)
  Process: 3564 ExecStartPre=/usr/sbin/remotectl certificate --ensure
--user=root --group=cockpit-ws --selinux-type=etc_t (code=exited,
status=0/SUCCESS)
 Main PID: 3573 (cockpit-ws)
   CGroup: /system.slice/cockpit.service
           └─3573 /usr/libexec/cockpit-ws

Dec 27 16:23:21 cockpit.localdomain systemd[1]: Starting Cockpit Web Service...
Dec 27 16:23:21 cockpit.localdomain systemd[1]: Started Cockpit Web Service.
Dec 27 16:23:21 cockpit.localdomain cockpit-ws[3573]: Using
certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert
Dec 27 16:23:30 cockpit.localdomain cockpit-ws[3573]: received invalid
HTTP request line
[root@cockpit ~]#

[root@cockpit ~]# echo test | openssl s_client -connect localhost:9090
-tls1_1 2>&1 | grep -e Protocol -e Cipher
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA

On Fri, Dec 27, 2019 at 10:09 AM Randal, Phil
<phil.ran...@hoopleltd.co.uk> wrote:
>
> Oops, excuse my typo
>
> Create /etc/systemd/system/cockpit.service.d/ssl.conf containing
>
> [Service]
> Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
>
> Then
>
> systemctl daemon-reload
> systemctl restart cockpit
>
> To verify that TLS 1.1 is disabled,
>
> echo test | openssl s_client -connect localhost:9090 -tls1_1 2>&1 | grep -e 
> Protocol -e Cipher
>
> The expected result is:
>
> New, (NONE), Cipher is (NONE)
>     Protocol  : TLSv1.1
>     Cipher    : 0000
>
> Cheers,
>
> Phil
>
> -----Original Message-----
> From: Randal, Phil
> Sent: 27 December 2019 15:04
> To: 'CentOS mailing list' <centos@centos.org>
> Subject: RE: [CentOS] Disabling TLS 1.1 in Centos 7 cockpit
>
> Try creating /etc/system/system/cockpit.service.d/ssl.conf and putting this 
> in it:
>
> [Service]
> Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
>
> Then
>
> systemctl daemon-reload
> systemctl restart cockpit
>
> Cheers,
>
> Phil
>
>
> -----Original Message-----
> From: CentOS <centos-boun...@centos.org> On Behalf Of Erick Perez - Quadrian 
> Enterprises
> Sent: 27 December 2019 03:26
> To: centos@centos.org
> Subject: [CentOS] Disabling TLS 1.1 in Centos 7 cockpit
>
> CAUTION: This email originated from outside of the organisation. Do not click 
> links or open attachments unless you recognise the sender and know the 
> content is safe.
>
> Hi, I'm using cockpit in standard port 9090 in a Centos 7 system.
> Due to a suggestion from management, they want TLS 1.1 disabled system-wide 
> in all Linux boxes and TLS 1.2 enabled.
>
> I have not found proper documentation on how to disable it for cockpit 
> (version 195.1 ships with Centos 7)
>
> So far I have tried (https://cockpit-project.org/guide/149/https.html):
>
> /usr/lib/systemd/system/cockpit.service
> [Service]
> Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2
>
> And I also created the file /etc/systemd/system/cockpit.service.d/ssl.conf
> and added:
> [Service]
> Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2
>
> after that, I systemctl restart cockpit
>
> But if I do
> #openssl s_client -connect  localhost:9090 -tls1_1 I get a proper response (a 
> certificate), so TLS 1.1 is being accepted.
>
> Suggestions?
>
> Thanks.
>
> --
>
> ---------------------
> Erick Perez
> ---------------------
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> Hoople Ltd, Registered in England and Wales No. 7556595
> Registered office: Plough Lane, Hereford, HR4 0LE
>
> "Any opinion expressed in this e-mail or any attached files are those of the 
> individual and not necessarily those of Hoople Ltd. You should be aware that 
> Hoople Ltd. monitors its email service. This e-mail and any attached files 
> are confidential and intended solely for the use of the addressee. This 
> communication may contain material protected by law from being passed on. If 
> you are not the intended recipient and have received this e-mail in error, 
> you are advised that any use, dissemination, forwarding, printing or copying 
> of this e-mail is strictly prohibited. If you have received this e-mail in 
> error please contact the sender immediately and destroy all copies of it."
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos



-- 

---------------------
Erick Perez
Quadrian Enterprises S.A. - Panama, Republica de Panama
Skype chat: eaperezh
WhatsApp IM: +507-6675-5083
---------------------
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Reply via email to